Originally published on September 3th, 2019
Severity: High
| Customer Data Leaked | CloverSites Data Leaked |
|
|
Impact
With a church website design company leaking, it is assumed that the impact will be minimal. However, with the data made available in this leak, it can be taken advantage of in a number of ways, such as …Identity Theft
With records including Personally Identifying Information (PII), billing details, and even personal details about church clergy and volunteers, it would be easy for any ill intentioned persons to claim to represent the organization. They can therefore open financial accounts and solicit donations to their own benefit using the church’s identity, or that of any affiliated individual.
Contact information, including billing address and direct emails and phone numbers
Customer’s purchase and cancellation information
Competitive Advantage
Any competitors in the website design and/or consulting field can easily use this data to their benefit. Whether it’s to undercut pricing, steal unhappy customers, or otherwise market to Clover Sites’ clients, this leak can easily lead to their company losing current and potential new business. Marketing agencies, web design professionals, and others selling the same or similar services have now had their target audience’s details served up on a silver platter!
Notes about an unhappy customer who subsequently cancelled their service
Pain points for CloverSite’s customers
Internal notes about a customer service error
Hate Crimes
Due to mass shootings and other attacks against religious organizations and at places of worship over the past years, there is fear of yet another occuring. Having details of church administration members and billing addresses – often differing from the main temple’s address – so someone can easily use this for their own criminal plans. There are also customers who are not variations of Christian churches, but rather are synagogues, leading to a slew of possibilities for the worst antisemites to take advantage of the data made available in this leak.
A synagogue’s data included in the leak, noting past due payments
Status: Clover Sites, Inc. – an unaccredited business according to the Better Business Bureau (BBB) – has not yet publicly disclosed the two recent data leaks our team is aware of that they’ve experienced this year. Despite several attempts and a request for comment regarding this data incident, Clover Sites has not responded nor commented at the time of publication.
Prevention: The easiest way to prevent a data leak such as this from occurring is to implement a secure password for a cloud-hosted database. In this case, the ElasticSearch instances were indexed by device search engines Shodan and BinaryEdge, leaving it vulnerable at the hands of web users. Clover Sites – as a brand under the umbrella Ministry Brands – states that they are “making adjustments to become compliant” with General Data Protection Regulation (GDPR) requirements. Once they are actually in compliance, perhaps we will no longer see their customers’ data put at risk.
