Exposed Adoption Data Raises Privacy Concerns for Gladney Center
In late June, security researcher Jeremiah Fowler uncovered a publicly accessible database containing sensitive information related to the adoption process. The database, linked to the Texas-based nonprofit Gladney Center for Adoption, raised immediate alarms due to its implications for vulnerable children and their families. The data included personal details about children’s biological parents, medical and mental health records, interactions with Child Protective Services, and court order documents, alongside typical personally identifiable information such as names, addresses, and contact details.
Upon discovering the database on June 25, Fowler attempted to notify Gladney about the exposure but initially received no response. His persistent efforts on June 26 were met with success, as the organization secured the database shortly after his second attempt. This action likely mitigated the risk of unauthorized access, but it highlighted the ongoing issues associated with misconfigured databases in today’s digital landscape.
Fowler indicated that the exposed data appeared to originate from a customer relationship management (CRM) system, which is typically employed by organizations to manage client data. He estimated that the database contained over 1.1 million records and was approximately 2.49 gigabytes in size. The nature of the information raises significant ethical concerns, particularly as many individuals affected are minors.
“This is the first instance I’ve encountered involving adoption data, and it is particularly concerning given the vulnerability of the children involved,” Fowler remarked. He speculated that the data breach occurred during a transition to a different system, leaving sensitive information exposed for several days.
In response to the incident, Lisa Schuessler, Chief Operating Officer of Gladney, emphasized the organization’s commitment to data security. She stated that Gladney collaborates with external IT experts to conduct thorough investigations into data-related issues. Maintaining data integrity is a priority, and they adhere to applicable laws and regulations, including notifying individuals if sensitive information is compromised.
While there has been no explicit confirmation that Gladney is notifying those affected by the exposure, Schuessler directed inquiries about the incident to their initial statement, which outlined ongoing efforts to enhance their security measures.
This incident provides a stark reminder of the potential vulnerabilities organizations face with sensitive data management. The MITRE ATT&CK framework offers insight into possible tactics and techniques that might have been employed in this scenario, including initial access methods like misconfiguration, which can easily expose sensitive databases, as well as persistence techniques that could allow malicious parties to exploit such vulnerabilities.
As organizations continue to navigate the complexities of data management, this incident underscores the critical importance of robust security protocols in safeguarding sensitive information, particularly in fields like adoption, where privacy is paramount.
