Cybersecurity researcher Jeremiah Fowler has uncovered a massive data breach involving over 1.1 million records tied to the Gladney Center for Adoption, a Texas-based organization known for providing adoption and advocacy services for more than 130 years.
The exposed database, reported to Website Planet, was left unencrypted and without password protection, putting highly sensitive personal and internal data at risk. Measuring 2.49 GB in size, the database appeared to originate from a customer relationship management (CRM) system and included a wide range of information such as names, addresses, emails, phone numbers, and case notes.
In a limited sample of the data, Fowler found folders labeled “Contacts,” “Applications,” and “Birth Fathers,” which included records containing personal and sensitive details about children, birth parents, adoptive families, and employees. Some case files included reasons for adoption denial, such as substance abuse, while others listed deeply personal family or legal issues.
The “Emails” folder alone contained 284,000 records, including subject lines and sender information, some of which revealed identifiable information. Additional folders referenced Child Protective Services (CPS) cases, medical expenses, dorm residents, pregnancy leads, and other internal matters.
Although the records appeared to be tied to the Gladney Center for Adoption, it remains unclear whether the database was directly managed by Gladney or by a third-party vendor. Fowler sent a responsible disclosure notice to the organization, after which the database was taken offline.
However, no formal response was received, and it is not known how long the information was exposed or whether it was accessed by malicious actors. Fowler emphasized the potential risks of such an exposure, noting that the emotionally sensitive nature of adoption could make individuals more vulnerable to phishing scams, impersonation, and fraud.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
While the data has since been secured, the incident underscores the critical need for robust cybersecurity practices, especially for organizations handling sensitive and emotionally charged personal data. The breach highlights how a single unprotected database can create serious real-world consequences and calls into question the data management protocols of organizations dealing with vulnerable populations.
