Cyber Incident Victim: SuperINN
Date:
Sep 2018
Location:
United States of America
Summary
Attackers exploited a vulnerability in SuperINN's authenticated image upload function to deploy PHP web shells, enabling unauthorized database access and data exfiltration. The compromised information included encrypted credit card numbers, names, addresses, phone numbers, and email addresses of guests, with the decryption key likely stolen via the same method. A subsequent SQL injection vulnerability was also leveraged to extract encrypted cardholder data. The company addressed these issues by removing malicious scripts, securing file upload capabilities, patching the SQL flaw, and rotating encryption keys. Over 43,000 individuals across the U.S. and 64 other countries were affected, including nearly 2,900 California residents.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The SuperINN Plus data breach originated from an attack exploiting a vulnerability in the image upload function of its web application, which was accessible to authenticated users. Attackers leveraged this flaw to upload PHP web shells onto the system, with the earliest identified instance dated September 23, 2018. These web shells enabled unauthorized access to the SuperINN Plus database, where attackers deployed PHP scripts to export sensitive guest information. The compromised data included encrypted credit card numbers, names, home and billing addresses, telephone numbers, and email addresses. Evidence indicated that exported records began appearing on January 1, 2019, with data exfiltration continuing through May 30, 2019. SuperINN.com discovered the incident on May 26, 2019, though the initial detection method remains unspecified in available reports. By June 3, 2019, the company had removed all identified PHP web shells and reconfigured the application to block PHP file uploads, addressing the initial attack vector.
During subsequent investigations, a separate SQL injection vulnerability was identified in the web application. Attackers exploited this flaw to extract encrypted cardholder data from the database, with logged activity occurring in June and July 2019. Forensic analysis suggested the attackers likely obtained the decryption key for the encrypted data through earlier PHP web shell access. SuperINN.com remediated the SQL injection vulnerability and rotated encryption keys by July 16, 2019, establishing the final endpoint of the exposure window. The total breach period spanned from September 23, 2018, to July 16, 2019, affecting approximately 43,250 individuals across the United States and 64 other countries, including 2,882 California residents. Notification letters and technical details were subsequently provided to impacted consumers and regulatory authorities, disclosing the multi-stage compromise but confirming no evidence of decrypted card data misuse. The incident exposed systemic vulnerabilities across both application security controls and cryptographic key management processes within the SuperINN platform.