Our website contains links to affiliate websites and we receive an affiliate commission for any purchase made to the affiliate website by clicking the links in our website. Learn More. Our reviews are not affected by participation in such programs.
  1. Website Planet
  2. >
  3. Blog
  4. >
  5. Report: Church Website Builder Leaves Clergy & Volunteer Data Vulnerable

Report: Church Website Builder Leaves Clergy & Volunteer Data Vulnerable

Mark Holden Mark Holden

Originally published on September 3th, 2019
Severity: High

Type: ElasticSearch Database

Size: 300mb accounting for 65,800 records

Countries Affected: United States, Canada, multiple European countries, Caribbean nations, South Africa, Democratic Republic of Congo, Australia, New Zealand, etc.

Our security research team at Website Planet has recently uncovered a second incident within the last couple of months for website builder and designer service, Clover Sites, Inc., a subsidiary of Ministry Brands. A cybersecurity expert reached out to them to inform them initially of a data leak, which was subsequently closed. Not long after, our own white-hat hacker discovered yet another data leak, leaving vulnerable tens of thousands of clergymen and congregation members.

Customer Data Leaked CloverSites Data Leaked
  • Full names of church clergy or other point of contact for clients
  • Direct phone numbers of clients
  • Billing emails
  • Billing addresses
  • Last 4 digits of credit card numbers of paying customers
  • Amount paid, recurring payments, billing dates
  • Internal memos and records
  • Customer email communication
  • Ports, Pathways, and data storage information
  • Server IP addresses

Impact

With a church website design company leaking, it is assumed that the impact will be minimal. However, with the data made available in this leak, it can be taken advantage of in a number of ways, such as …

Identity Theft

With records including Personally Identifying Information (PII), billing details, and even personal details about church clergy and volunteers, it would be easy for any ill intentioned persons to claim to represent the organization. They can therefore open financial accounts and solicit donations to their own benefit using the church’s identity, or that of any affiliated individual.

cloversites-leak-report-1

Contact information, including billing address and direct emails and phone numbers

cloversites-leak-report-2

Customer’s purchase and cancellation information

Competitive Advantage

Any competitors in the website design and/or consulting field can easily use this data to their benefit. Whether it’s to undercut pricing, steal unhappy customers, or otherwise market to Clover Sites’ clients, this leak can easily lead to their company losing current and potential new business. Marketing agencies, web design professionals, and others selling the same or similar services have now had their target audience’s details served up on a silver platter!

Screenshot_1 1

Notes about an unhappy customer who subsequently cancelled their service

cloversites-leak-report-4

Pain points for CloverSite’s customers

Screenshot_2

Internal notes about a customer service error

Hate Crimes

Due to mass shootings and other attacks against religious organizations and at places of worship over the past years, there is fear of yet another occuring. Having details of church administration members and billing addresses – often differing from the main temple’s address – so someone can easily use this for their own criminal plans.

There are also customers who are not variations of Christian churches, but rather are synagogues, leading to a slew of possibilities for the worst antisemites to take advantage of the data made available in this leak.

cloversites-leak-report-6

A synagogue’s data included in the leak, noting past due payments

 Status: Clover Sites, Inc.  – an unaccredited business according to the Better Business Bureau (BBB) – has not yet publicly disclosed the two recent data leaks our team is aware of that they’ve experienced this year. Despite several attempts and a request for comment regarding this data incident, Clover Sites has not responded nor commented at the time of publication.

Prevention: The easiest way to prevent a data leak such as this from occurring is to implement a secure password for a cloud-hosted database. In this case, the ElasticSearch instances were indexed by device search engines Shodan and BinaryEdge, leaving it vulnerable at the hands of  web users. Clover Sites – as a brand under the umbrella Ministry Brands – states that they are “making adjustments to become compliant” with General Data Protection Regulation (GDPR) requirements. Once they are actually in compliance, perhaps we will no longer see their customers’ data put at risk.

What is Website Planet?

Website Planet is the premier authority for web designers, developers, digital marketers, and entrepreneurs with an online presence. Offering useful tools and resources for anyone, from the beginner to the seasoned professional, we pride ourselves on our integrity and honesty.

Our team of ethical security research team discovers and discloses some of the most impactful data leaks, as a free community service we perform for the web at large.

Mark Holden
Mark Holden

Mark is a full stack web developer specializing in HTML5, CSS, JavaScript, MySQL, and PHP. When he’s not busy building websites or geeking out over the latest addition to his ever-growing gadget collection, he enjoys playing drums for his progressive rock band. He can also make a mean Spanish omelet.

Follow our experts on
Rate this Article
4.4 Voted by 53 users
You already voted! Undo
This field is required Maximal length of comment is equal 80000 chars Minimal length of comment is equal 10 chars
Any comments?
Reply
View %s replies
View %s reply
Related posts
Show more related posts
Reply to
0 out of minimum 100 characters
Complete your reply Complete your comment
OR
The name is too short The name is too long The name contains invalid characters
The email is required The email is incorrect
Thank you, - your comment was submitted successfully!

We check all user comments within 48 hours to make sure they are from real people like you. We're glad you found this article useful - we would appreciate it if you let more people know about it.

Share this blog post with friends and co-workers right now:
Thank you, , your comment was submitted successfully!

We check all comments within 48 hours to make sure they're from real users like you. In the meantime, you can share your comment with others to let more people know what you think.

Thank you for signing up!

Once a month you will receive interesting, insightful tips, tricks, and advice to improve your website performance and reach your digital marketing goals!

So happy you liked it!

Share it with your friends!

950544
100
5000
8732163
Best for beginnersimage

Create a Unique Website in Minutes

Browse 140+ mobile-responsive templates

Build Your Website