Faith-Based Daily Awareness Post 30 May 2024

These updates are shared to help raise the situational awareness of Faith-Based organizations to best defend against and mitigate the impacts from all-hazards threats including physical security, cybersecurity, and natural disasters.

Church app developer exposes data of nearly a million Brazilians (inChurch software)

Cybernews reports:

“inChurch, a Brazilian software company providing services to 5000 churches across Brazil and 45,000 worldwide, has leaked a tremendous amount of sensitive user data.

…

Most of the leaked Excel files contained potentially sensitive personal data of 932,000 members of churches, mainly across Brazil, but the team was not able to independently validate the dataset due to white-hat cybersecurity practices.

…

Leaking such a massive amount of personal data is a cause of concern, as cybercriminals could exploit it in various ways. According to the researchers, cybercriminals could use the exposed email accounts and phone numbers for targeted phishing attacks. For example, they could send deceptive emails to affected individuals, which appear to be from inChurch. This increases the risk of further security breaches.

By using social engineering tactics with the leaked data, attackers might manipulate victims into revealing more personal information or taking actions that compromise their security.”

Analyst Comments:

The inChurch app is mostly used in Brazil, but it is also used outside of Brazil. Faith-Based Organizations (FBO) should check and see if they, or any of their affiliates, are using inChurch products.

The inChurch leak can serve as a reminder of how cybercriminals can use social engineering and a little information to obtain more information.

CrowdStrike’s What Is Social Engineering? Examples + Prevention explains social engineering, and provides the following best practices to prevent social engineering.

• DON’T CLICK ON LINKS SENT BY PEOPLE YOU DON’T KNOW. Hover over them first; trust but verify!
• Avoid opening attachments within emails from senders you do not recognize.
• Be wary of emails or phone calls requesting account information or requesting that you verify your account.
• Do not provide your username, password, date of birth, social security number, financial data or other personal information in response to an email or robocall.
• Always independently verify any requested information originating from a legitimate source.
• Always verify the web address of legitimate websites and manually type them into your browser.
• Check for misspellings or improper domains within a link (for example, an address that should end in a .gov ends in .com instead).
• Before transferring money or information, verify by voice or video call.
• Be alert to counterfeit items, such as sanitizing products and personal protective equipment, or people selling products that claim to prevent, treat, diagnose or cure COVID-19.

Also, FB-ISAO’s 06 October 2023 Daily Awareness Post contains many cybersecurity resources.