Adoption Agency Data Exposure Revealed Information About Children and Parents

The adoption process is inherently sensitive, involving deeply personal information about children, birth parents, adoptive parents, and other caregivers. So when longtime data-breach hunter and security researcher Jeremiah Fowler came across a publicly accessible database online at the end of June that seemed to contain information related to adoption, he was instantly concerned.

Fowler scrambled to identify the owner of the database, which he concluded was the largely Texas-based nonprofit Gladney Center for Adoption. He then worked to notify the organization about the exposed data on June 25 but received no reply. He attempted notification again on June 26, and within a few hours the database was silently secured—hopefully before anyone else was able to access it.

Misconfigured databases are common online, even after years of effort to raise awareness about the issue, making information accessible to whoever comes across it. Fowler was particularly alarmed to see adoption-related data, though, because the trove included details like the identities of some children’s biological parents, data on individuals’ medical and mental health status, information about interactions with Child Protective Services, and even records referencing court orders. The database also included more typical personally identifying information like names, addresses, phone numbers, email addresses, and unique identifiers assigned to children’s cases. Fowler was ultimately able to trace the database to Gladney, because it also contained information about some of the organization’s employees.

“This is the first time in all of my research that I’ve seen adoption data, and it stood out because a lot of these kids are very vulnerable,” Fowler tells WIRED. “I believe that this data was exposed during the move to a different system, and that it was up for a few days before I found it. So I go to sleep at night hoping I got to it before the bad guys did.”

Fowler says that the data appeared to be from a customer relationship management, or CRM, system that is used to organize client data in businesses and other organizations. The trove contained more than 1.1 million records and was 2.49 GB.

“The Gladney Center for Adoption takes security seriously. We always work with the assistance of external information technology experts to conduct a detailed investigation into any incident. Data integrity and operations are our top priority,” chief operating officer Lisa Schuessler wrote in a statement. “With any incident, we work with law enforcement and comply with applicable laws and regulations, and in the case of any determination of sensitive information within our possession being impacted, we notify all impacted individuals.”

When asked whether this should be taken as confirmation that Gladney secured the exposed database found by Fowler and is notifying individuals whose data was included, Schuessler referred WIRED to Gladney’s initial response. That statement also noted that Gladney is “constantly taking additional steps to further strengthen and bolster our systems to ensure our networks and the information entrusted to us is secure.”