Sark Technologies is proud of its reservation and management system, SuperINN. They depict it as the first web-based property management system designed specifically for the small lodging system. They also advertise that SuperINN easily integrates with third-party sites and safely processes and stores credit cards. On August 2, however, their external advocate notified consumers and the California say Attorney Generals Office of a hack that impacted approximately 43,250 individuals residing across the U.S. and in 64 other countries, including 2,882 residents of California. According to the counsels summary of the incident, ace or more attackers identified a vulnerability in an image upload purpose of the SuperINN Plus web coating available to authenticated users that allowed the aggressor to upload PHP web shells. The earliest of these web shells found on the system was dated september 23, 2018. Investigators also found PHP scripts used to export data from the SuperINN plus database. The data types included: encrypted card numbers, names, home and citation card billing addresses, telephone numbers, and email addresses of SuperINN.coms customers guests. Of note, they write: It is assumed that the assailant had also obtained the decryption cay using a PHP web shell. The earliest evidence of exported data available included records dated january 1, 2019 and later. The exported data continued through May 30, 2019. SuperINN.com became aware of the incident May 26, 2019. The notification does not indicate how the firm first became aware of an incident, but by June 3: SuperINN.com had (a) identified and removed the PHP web shells and (b) reconfigured the web coating to prevent the ability to upload PHP files. But that wasnt the only issue investigators detected: In addition to the PHP web shell, an attacker identified a SQL injection vulnerability in the web application and appeared to make exercise of it to pull encrypted cardholder data from the database. Available logs showed this SQL shot being used in June and July 2019. It is again assumed that the assailant had previously obtained the decryption key using a PHP web shell. By July 16, 2019, SuperINN.com had (a) identified and removed the SQL injection vulnerability and (b) rotated encryption keys. Based on this information, the window of potential exposure for card data has been localize as September 23, 2018 through July 16, 2019. Somewhat unusually, they actually provided all that technical detail to consumers who are beingness notified of the incident. If you want to read their full account and template notification, you canful happen it here.