Religious Website- Potential follow-on attacks on religious organizations could include credit-card theft via spearphishing, fraud and network intrusion.
Religious website service Clover Sites exposed customer data for at least six to seven months, with the dataset found twice in two separate, insecure cloud databases.
Clover offers a content management system for building and managing faith-based websites, with a “Clover Donations” module for accepting money online. According to Jeremiah Fowler at Security Discovery, he found a non-password protected database in May that contained 65,800 detailed records with customer names, billing information, contact data and the last four digits of credit-card numbers. It also included internal comments about calls, help requests and notes on customer satisfaction, and IP addresses, ports, pathways and storage info for customers.
In total, the exposed data “appears to be all of Clover Site’s customer accounts, past and present,” Fowler wrote in an analysis this week.
The interesting thing is that the same data set popped up in a separate unsecured database about a month before Fowler’s discovery. The first database was uncovered by Fowler’s colleague, Bob Diachenko, who had notified Clover, which closed it. Fowler discovered this after calling on the database that he had seen – only to be told by a Clover agent that “the manager would not speak with me and was aware of the situation that was already resolved.”
It rapidly became apparent that there were two databases, with the second one still exposing data.
“We have determined that this was a second and separate data incident than what Bob Diachenko reported to Clover Sites in April,” Fowler said. “This would mean that Clover Sites’ full client data has been exposed online two separate times and was accessible to anyone with an internet connection.”
Nonetheless, Clover refused to take Fowler’s report seriously until April, five months after he originally reported the issue to the company.