1. Website Planet
  2. >
  3. Blog
  4. >
  5. Report: Church Website Builder Leaves Clergy & Volunteer Data Vulnerable

Report: Church Website Builder Leaves Clergy & Volunteer Data Vulnerable

Mark Holden
Mark Holden
26
November 06, 2019

Severity: High

Type: ElasticSearch Database

Size: 300mb accounting for 65,800 records

Countries Affected: United States, Canada, multiple European countries, Caribbean nations, South Africa, Democratic Republic of Congo, Australia, New Zealand, etc.

Our security research team at Website Planet has recently uncovered a second incident within the last couple of months for website builder and designer service, Clover Sites, Inc., a subsidiary of Ministry Brands. A cybersecurity expert reached out to them to inform them initially of a data leak, which was subsequently closed. Not long after, our own white-hat hacker discovered yet another data leak, leaving vulnerable tens of thousands of clergymen and congregation members.

Customer Data LeakedCloverSites Data Leaked
  • Full names of church clergy or other point of contact for clients
  • Direct phone numbers of clients
  • Billing emails
  • Billing addresses
  • Last 4 digits of credit card numbers of paying customers
  • Amount paid, recurring payments, billing dates
  • Internal memos and records
  • Customer email communication
  • Ports, Pathways, and data storage information
  • Server IP addresses

Impact

With a church website design company leaking, it is assumed that the impact will be minimal. However, with the data made available in this leak, it can be taken advantage of in a number of ways, such as …

Identity Theft

With records including Personally Identifying Information (PII), billing details, and even personal details about church clergy and volunteers, it would be easy for any ill intentioned persons to claim to represent the organization. They can therefore open financial accounts and solicit donations to their own benefit using the church’s identity, or that of any affiliated individual.

cloversites-leak-report-1

Contact information, including billing address and direct emails and phone numbers

cloversites-leak-report-2

Customer’s purchase and cancellation information

Competitive Advantage

Any competitors in the website design and/or consulting field can easily use this data to their benefit. Whether it’s to undercut pricing, steal unhappy customers, or otherwise market to Clover Sites’ clients, this leak can easily lead to their company losing current and potential new business. Marketing agencies, web design professionals, and others selling the same or similar services have now had their target audience’s details served up on a silver platter!

Report: Church Website Builder Leaves Clergy & Volunteer Data Vulnerable

Notes about an unhappy customer who subsequently cancelled their service

cloversites-leak-report-4

Pain points for CloverSite’s customers

Report: Church Website Builder Leaves Clergy & Volunteer Data Vulnerable

Internal notes about a customer service error

Hate Crimes

Due to mass shootings and other attacks against religious organizations and at places of worship over the past years, there is fear of yet another occuring. Having details of church administration members and billing addresses – often differing from the main temple’s address – so someone can easily use this for their own criminal plans.

There are also customers who are not variations of Christian churches, but rather are synagogues, leading to a slew of possibilities for the worst antisemites to take advantage of the data made available in this leak.

cloversites-leak-report-6

A synagogue’s data included in the leak, noting past due payments

 Status: Clover Sites, Inc.  – an unaccredited business according to the Better Business Bureau (BBB) – has not yet publicly disclosed the two recent data leaks our team is aware of that they’ve experienced this year. Despite several attempts and a request for comment regarding this data incident, Clover Sites has not responded nor commented at the time of publication.

Prevention: The easiest way to prevent a data leak such as this from occurring is to implement a secure password for a cloud-hosted database. In this case, the ElasticSearch instances were indexed by device search engines Shodan and BinaryEdge, leaving it vulnerable at the hands of  web users. Clover Sites – as a brand under the umbrella Ministry Brands – states that they are “making adjustments to become compliant” with General Data Protection Regulation (GDPR) requirements. Once they are actually in compliance, perhaps we will no longer see their customers’ data put at risk.

What is Website Planet?

Website Planet is the premier authority for web designers, developers, digital marketers, and entrepreneurs with an online presence. Offering useful tools and resources for anyone, from the beginner to the seasoned professional, we pride ourselves on our integrity and honesty.

Our team of ethical security research team discovers and discloses some of the most impactful data leaks, as a free community service we perform for the web at large.

26 claps
Clap for the post if you found it useful!

Related posts

Show more related posts

Any comments?

0 out of minimum 100 characters
Required Field Maximal length of comment is equal 80000 chars Minimal length of comment is equal 100 chars

We check all user comments within 48 hours to make sure they are from real people like you. We're glad you found this article useful - we would appreciate it if you let more people know about it.

Share this blog post with friends and co-workers right now:

We check all comments within 48 hours to make sure they're from real users like you.

Once a month you will receive interesting, insightful tips, tricks, and advice to improve your website performance and reach your digital marketing goals!

So happy you liked it!

Share it with your friends!