Religious website service Clover Sites exposed customer data for at least six to seven months, with the dataset found twice in two separate, insecure cloud databases.
Clover offers a content management system for building and managing faith-based websites, with a “Clover Donations” module for accepting money online. According to Jeremiah Fowler at Security Discovery, he found a non-password protected database in May that contained 65,800 detailed records with customer names, billing information, contact data and the last four digits of credit-card numbers. It also included internal comments about calls, help requests and notes on customer satisfaction, and IP addresses, ports, pathways and storage info for customers.
In total, the exposed data “appears to be all of Clover Site’s customer accounts, past and present,” Fowler wrote in an analysis this week.
The interesting thing is that the same data set popped up in a separate unsecured database about a month before Fowler’s discovery. The first database was uncovered by Fowler’s colleague, Bob Diachenko, who had notified Clover, which closed it. Fowler discovered this after calling on the database that he had seen – only to be told by a Clover agent that “the manager would not speak with me and was aware of the situation that was already resolved.”
It rapidly became apparent that there were two databases, with the second one still exposing data.
“We have determined that this was a second and separate data incident than what Bob Diachenko reported to Clover Sites in April,” Fowler said. “This would mean that Clover Sites’ full client data has been exposed online two separate times and was accessible to anyone with an internet connection.”
Nonetheless, Clover refused to take Fowler’s report seriously until April, five months after he originally reported the issue to the company.
“In early October I was finally able to get in contact with their parent company Ministry Brands LLC,” the researcher explained. “On October 4th I received a thank you message from members of Ministry Brands confirming that they would take action. Within 24 hours public access was closed. Unlike the Clover Sites staff who ignored calls and emails, Ministry Brands acted fast and professionally to secure the data.”
Unfortunately, a handful of others published the details of the open database before Ministry Brands took action – it’s a move that Fowler calls “highly irresponsible” disclosure.
“We believe we have an ethical duty to those individuals who had their data exposed and not try to make news at the expense of innocent users and their data,” he wrote. “True data protection is not a race to get your name in headlines, some free PR from your firm or product. This approach goes against the hard work and countless hours of (often unpaid) research that is involved with the responsible disclosure process.”
It is unclear how long the first database had been exposed or who may have accessed the data in either of them, but Fowler pointed out that potential follow-on attacks could include credit-card theft via spearphishing, fraud and network intrusion.
“The danger of storing this type of information including the last four digits of a credit card and billing address is that it makes it extremely easy for cybercriminals to theoretically pose as employees and ‘verify’ the rest of the card,” he explained. “This type of highly targeted phishing is a real risk because there is a relationship of trust with the customer and provider, so most people would not suspect anything if they received a call to update their payment method.”
Other fraud efforts could be carried out using the detailed call notes in the database (the criminal could even say “I see that we last spoke on this date regarding this subject”); and, the port information could be used to penetrate further into the network.
Unsecured databases left open to the internet continue to plague companies. According to the Cloud Adoption & Risk Report released by McAfee earlier this year, there has been a 27.7 percent increase in cloud-related security incidents from the last year. With 65 percent of organizations using some form of an infrastructure-as-a-service (IaaS) model, organizations need to be aware of the risks that cloud-based options bring, and ensure that security is a top priority when deploying them.
