Clover Sites has been exposing the personal data of its customers for at least half a year.
Security Discovery researcher Jeremiah Fowler, discovered the non-password protected on May 22. The database contained 65,800 records of current and previous Clover Sites customers.
The records contained detailed information including customer names, billing information such as the last four digits of credit card numbers, phone numbers and emails. Additionally, Fowler stated that the records also contained detailed internal comments about calls.
The following day, Fowler attempted to notify the company by phone, however the manager refused to speak to the researcher. A member of the company stated that they had been already notified by fellow researcher Bob Diachenko, around a month ago.
Diachenko had reported the data exposure incident in April, and confirmed that after reaching out to Clover Sites, the database had been secured.
“We have determined that this was a second and separate data incident than what Bob Diachenko reported to Clover Sites in April. This would mean that Clover Sites’ full client data has been exposed online two separate times and was accessible to anyone with an internet connection.
“In early October I was finally able to get in contact with their parent company Ministry Brands LLC. On October 4th I received a thank you message from members of Ministry Brands confirming that they would take action. Within 24hrs public access was closed. Unlike the Clover Sites staff who ignored calls and emails, Ministry Brands acted fast and professionally to secure the data,” Fowler said.
It remains unknown as to how long the first database had been exposed for, and who may have accessed it, however in accordance to the timeline, it is estimated that the customer data was exposed from at least April until October.
“The most outrageous part of this data leak was the complete lack of response by members of the Clover Sites support team and management to 15-20 notifications and phone calls. This was the most blatant example I have ever seen of flat out ignoring multiple data exposure notices while still being aware of a previous data leak.”
Fowler stresses that at least one or two other researchers had published this information in September whilst the database was open, which is highly irresponsible as it can further jeopardise the impacted individuals.
“The fact that any member of the security community would publish this type of exposure before it was secured is the equivalent to providing cyber criminals with a treasure chest of potential victims.”
The post #Privacy: Religious website service found exposing customer data for months appeared first on PrivSec Report.