In a recent investigation, cybersecurity researcher Jeremiah Fowler uncovered a significant data breach involving a vast repository of unsecured records belonging to the Gladney Center for Adoption. This dataset, left unprotected and accessible online without any form of authentication or encryption, poses serious implications for the sensitive information contained within.
The exposed database comprised 2.49 gigabytes of data, containing over 1.1 million records that included highly sensitive details pertaining to children, adoptive parents, birth families, and internal staff. Usernames, contact information, case notes, and private assessments were all available to anyone with internet access, particularly individuals adept at locating vulnerable cloud servers—a skill set that cybercriminals are known to possess.
Upon discovering the exposure, Fowler promptly issued a responsible disclosure notification to the organization believed to be the source of the data breach. The records were secured the following day; however, unanswered questions linger regarding the duration of the exposure and the possibility of unauthorized access prior to its removal.
The magnitude of this data leak is alarming, not just due to the sheer volume of exposed records, but also because of the sensitive nature of the information involved. The records appeared to originate from a Customer Relationship Management (CRM) platform utilized for managing casework and communications within the organization.
Within folders labeled “contacts,” “applications,” and “birth fathers,” Fowler found detailed entries revealing applicants’ personal histories, reasons for adoption denials, family details, and even references to substance abuse or legal issues. While no complete case files were exposed, the information was substantial enough to potentially facilitate malicious activities such as social engineering or fraud.
Fowler’s report, shared with Hackread.com, indicated that among the exposed data were 284,000 email metadata records. Although full email content was not accessible, subject lines within the metadata sometimes included identifiable names or references, posing additional risks if the data were to fall into the wrong hands, particularly interactions between the agency and various healthcare or social service providers.
The records spanned multiple years of operational history; however, indications suggested that the database itself had recently been created or exported. It remains unclear whether the data system was hosted internally by the organization or managed by a third-party vendor. Fowler has yet to receive a response regarding his disclosure, leaving uncertainty surrounding the extent of the exposure and any potential forensic evaluations.
From a technical standpoint, the records were a combination of plaintext data and UUIDs (Universally Unique Identifiers), commonly employed in CRM systems to link various data points. These identifiers, while complex in appearance, do little to protect sensitive information when not safeguarded by encryption.
Fowler emphasized the necessity of encrypting data, especially that which involves children or health-related content, advocating for stringent baseline security measures. He also recommended organizations implement restrictions on internal access to delicate data, conduct regular system audits, and provide staff training on cybersecurity best practices. Additionally, data no longer in active use should be archived or deleted to minimize potential fallout from future breaches.
Although Fowler’s report did not accuse the Gladney Center or its affiliates of any wrongdoing, it highlighted the potential risks associated with the exposed data, which could enable impersonation, phishing attempts, or even extortion tactics. Adoption-related processes often entail high-stress situations for families, and such exposure can exacerbate their vulnerabilities.
In this instance, it does not appear that the data was stolen or misused. Fowler limited his engagement to minimal screenshots for verification purposes and refrained from downloading or retaining any content. His actions were guided by ethical considerations and a commitment to enhancing data security within sectors handling sensitive information.
