Severity: High
Type: ElasticSearch Database
Size: 300mb accounting for 65,800 records
Countries Affected: United States, Canada, multiple European countries, Caribbean nations, South Africa, Democratic Republic of Congo, Australia, New Zealand, etc.
Our security research team at Website Planet has recently uncovered a second incident within the last couple of months for website builder and designer service, Clover Sites, Inc., a subsidiary of Ministry Brands. A cybersecurity expert reached out to them to inform them initially of a data leak, which was subsequently closed. Not long after, our own white-hat hacker discovered yet another data leak, leaving vulnerable tens of thousands of clergymen and congregation members.
| Customer Data Leaked | CloverSites Data Leaked |
|
|
Impact
With a church website design company leaking, it is assumed that the impact will be minimal. However, with the data made available in this leak, it can be taken advantage of in a number of ways, such as …
Identity Theft
With records including Personally Identifying Information (PII), billing details, and even personal details about church clergy and volunteers, it would be easy for any ill intentioned persons to claim to represent the organization. They can therefore open financial accounts and solicit donations to their own benefit using the church’s identity, or that of any affiliated individual.
Contact information, including billing address and direct emails and phone numbers
Customer’s purchase and cancellation information
Competitive Advantage
Any competitors in the website design and/or consulting field can easily use this data to their benefit. Whether it’s to undercut pricing, steal unhappy customers, or otherwise market to Clover Sites’ clients, this leak can easily lead to their company losing current and potential new business. Marketing agencies, web design professionals, and others selling the same or similar services have now had their target audience’s details served up on a silver platter!
Notes about an unhappy customer who subsequently cancelled their service
Pain points for CloverSite’s customers
Internal notes about a customer service error
Hate Crimes
Due to mass shootings and other attacks against religious organizations and at places of worship over the past years, there is fear of yet another occuring. Having details of church administration members and billing addresses – often differing from the main temple’s address – so someone can easily use this for their own criminal plans.
There are also customers who are not variations of Christian churches, but rather are synagogues, leading to a slew of possibilities for the worst antisemites to take advantage of the data made available in this leak.
A synagogue’s data included in the leak, noting past due payments
Status: Clover Sites, Inc. – an unaccredited business according to the Better Business Bureau (BBB) – has not yet publicly disclosed the two recent data leaks our team is aware of that they’ve experienced this year. Despite several attempts and a request for comment regarding this data incident, Clover Sites has not responded nor commented at the time of publication.
Prevention: The easiest way to prevent a data leak such as this from occurring is to implement a secure password for a cloud-hosted database. In this case, the ElasticSearch instances were indexed by device search engines Shodan and BinaryEdge, leaving it vulnerable at the hands of web users. Clover Sites – as a brand under the umbrella Ministry Brands – states that they are “making adjustments to become compliant” with General Data Protection Regulation (GDPR) requirements. Once they are actually in compliance, perhaps we will no longer see their customers’ data put at risk.
What is Website Planet?
Website Planet is the premier authority for web designers, developers, digital marketers, and entrepreneurs with an online presence. Offering useful tools and resources for anyone, from the beginner to the seasoned professional, we pride ourselves on our integrity and honesty.
Our team of ethical security research team discovers and discloses some of the most impactful data leaks, as a free community service we perform for the web at large.
Any comments?