We rank vendors based on rigorous testing and research, but also take into account your feedback and our commercial agreements with providers. This page contains affiliate links. Advertising Disclosure
  1. Website Planet
  2. >
  3. Blog
  4. >
  5. Report: Church Website Builder Leaves Clergy & Volunteer Data Vulnerable

Report: Church Website Builder Leaves Clergy & Volunteer Data Vulnerable

Church-Website-Builder-Exposed-Users-Data-logo.jpg

Originally published on September 3th, 2019

Severity: High
Type: ElasticSearch Database

Size: 300mb accounting for 65,800 records

Countries Affected: United States, Canada, multiple European countries, Caribbean nations, South Africa, Democratic Republic of Congo, Australia, New Zealand, etc.

Our security research team at Website Planet has recently uncovered a second incident within the last couple of months for website builder and designer service, Clover Sites, Inc., a subsidiary of Ministry Brands. A cybersecurity expert reached out to them to inform them initially of a data leak, which was subsequently closed. Not long after, our own white-hat hacker discovered yet another data leak, leaving vulnerable tens of thousands of clergymen and congregation members.

Customer Data Leaked CloverSites Data Leaked
  • Full names of church clergy or other point of contact for clients
  • Direct phone numbers of clients
  • Billing emails
  • Billing addresses
  • Last 4 digits of credit card numbers of paying customers
  • Amount paid, recurring payments, billing dates
  • Internal memos and records
  • Customer email communication
  • Ports, Pathways, and data storage information
  • Server IP addresses

Impact

With a church website design company leaking, it is assumed that the impact will be minimal. However, with the data made available in this leak, it can be taken advantage of in a number of ways, such as …

Identity Theft

With records including Personally Identifying Information (PII), billing details, and even personal details about church clergy and volunteers, it would be easy for any ill intentioned persons to claim to represent the organization. They can therefore open financial accounts and solicit donations to their own benefit using the church’s identity, or that of any affiliated individual.

cloversites-leak-report-1

Contact information, including billing address and direct emails and phone numbers

cloversites-leak-report-2

Customer’s purchase and cancellation information

Competitive Advantage

Any competitors in the website design and/or consulting field can easily use this data to their benefit. Whether it’s to undercut pricing, steal unhappy customers, or otherwise market to Clover Sites’ clients, this leak can easily lead to their company losing current and potential new business. Marketing agencies, web design professionals, and others selling the same or similar services have now had their target audience’s details served up on a silver platter!

Screenshot_1 1

Notes about an unhappy customer who subsequently cancelled their service

cloversites-leak-report-4

Pain points for CloverSite’s customers

Screenshot_2

Internal notes about a customer service error

Hate Crimes

Due to mass shootings and other attacks against religious organizations and at places of worship over the past years, there is fear of yet another occuring. Having details of church administration members and billing addresses – often differing from the main temple’s address – so someone can easily use this for their own criminal plans.

There are also customers who are not variations of Christian churches, but rather are synagogues, leading to a slew of possibilities for the worst antisemites to take advantage of the data made available in this leak.

cloversites-leak-report-6

A synagogue’s data included in the leak, noting past due payments

 Status: Clover Sites, Inc.  – an unaccredited business according to the Better Business Bureau (BBB) – has not yet publicly disclosed the two recent data leaks our team is aware of that they’ve experienced this year. Despite several attempts and a request for comment regarding this data incident, Clover Sites has not responded nor commented at the time of publication.

Prevention: The easiest way to prevent a data leak such as this from occurring is to implement a secure password for a cloud-hosted database. In this case, the ElasticSearch instances were indexed by device search engines Shodan and BinaryEdge, leaving it vulnerable at the hands of  web users. Clover Sites1 – as a brand under the umbrella Ministry Brands – states that they are “making adjustments to become compliant” with General Data Protection Regulation (GDPR) requirements. Once they are actually in compliance, perhaps we will no longer see their customers’ data put at risk.

What is Website Planet?

Website Planet stands as the foremost authority for web designers, developers, digital marketers, and entrepreneurs possessing an online presence. We provide valuable tools and resources for individuals at all levels, ranging from novices to seasoned professionals. Our foundation is built on integrity and honesty, qualities that we take great pride in.

Our team of ethical security research team discovers and discloses some of the most impactful data leaks, as a free community service we perform for the web at large.

Rate this Article
4.4 Voted by 53 users
You already voted! Undo
This field is required Maximal length of comment is equal 80000 chars Minimal length of comment is equal 10 chars
Any comments?
Required Field Maximal length of comment is equal 5000 chars Minimal length of comment is equal 50 chars
0 out of minimum 50 characters
Reply
View %s replies
View %s reply
Related posts
Show more related posts
We check all user comments within 48 hours to make sure they are from real people like you. We're glad you found this article useful - we would appreciate it if you let more people know about it.
Popup final window
Share this blog post with friends and co-workers right now:

We check all comments within 48 hours to make sure they're from real users like you. In the meantime, you can share your comment with others to let more people know what you think.

Once a month you will receive interesting, insightful tips, tricks, and advice to improve your website performance and reach your digital marketing goals!

So happy you liked it!

Share it with your friends!

1 1 1

Or review us on 1

950544
50
5000
8732163