Cybersecurity researcher Jeremiah Fowler discovered a massive data breach exposing over 1.1 million records tied to Gladney Center for Adoption, a well-known Texas-based adoption agency.
According to the report, Fowler found the database unencrypted, unsecured by a password, and publicly accessible. He immediately reported the issue, and the agency restricted access to the database the following day.
The exposed database, measuring 2.49GB, appeared to originate from a Customer Relationship Management (CRM) system. Fowler identified names, phone numbers, emails, and notes involving adoption cases. The data belonged to:
- Children
- Birth parents
- Adoptive parents
- Agency staff
- Third-party service providers.
Files Contained Deeply Personal Data
The database held folders labelled “contacts,” “applications,” “emails,” and “Birth Fathers,” among others. One folder listed close to 39,000 applications with personal notes detailing the reasons applicants received approval or denial. Fowler also found records citing substance abuse and legal issues.
In the “Birth Fathers” folder, Fowler saw full names, including middle names, and sensitive background information. The inclusion of middle names considerably increases the risk of re-identifying individuals, particularly in the privacy-conscious adoption world.
Other folders documented Child Protective Services (CPS) cases, pregnancies, dorm residents, medical expenses, and communications with social services and medical professionals. Though many records dated back years, the database itself appeared recently compiled, created just days before Fowler’s discovery.
Breach Creates Opportunities for Exploitation and Fraud
Criminals could exploit the exposed data to impersonate adoption professionals, phish clients, or even blackmail individuals. Because the database contained internal notes and contact information, scammers could convincingly pose as staff, lawyers, or caseworkers.
Fowler notes that people caught in emotionally intense processes like adoption are often more vulnerable to manipulation. He stressed that while he saw no evidence of malicious access, only a forensic audit could confirm whether attackers had already scraped or downloaded the data.
Gladney Fails to Respond
Despite Fowler notifying the organization, the Gladney Center for Adoption failed to respond. It remains unclear whether the agency directly managed the exposed database or outsourced it to a third party. Either way, Gladney bears responsibility for the breach.
The lack of communication raises red flags. When over a million sensitive records go public, the affected organization should respond quickly and transparently. More than a week on from the incident, Gladney has stayed silent.
Negligence, Not Cybercriminals
Perhaps the most notable feature of this breach is that Gladney didn’t fall victim to a sophisticated cyberattack. It left the front door wide open. Someone failed to secure a basic database, leaving it unencrypted without a password or access controls. This wasn’t a zero-day exploit or nation-state threat. It was avoidable.
Despite Gladney’s long-standing reputation in adoption services, the agency now finds itself tied to a significant and preventable data exposure. The trust it built over more than a century risks erosion because no one took the most basic steps to protect personal information.
In cybersecurity, negligence is often more harmful that malice. This case proves it.
Josh is a Content writer at Bora. He graduated with a degree in Journalism in 2021 and has a background in cybersecurity PR. He's written on a wide range of topics, from AI to Zero Trust, and is particularly interested in the impacts of cybersecurity on the wider economy.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.