Adoption agency leaks over a million records

Security researcher Jeremiah Fowler found a publicly accessible database online that contained highly personal information from an adoption agency.

Jeremiah, who specializes in locating exposed cloud storage, is used to finding sensitive information exposed. However, because of the nature of the information, this one immediately raised his concern and he hurried to find out who owned the data.

Research indicated that the database belonged to the Fort Worth (TX) based non-profit Gladney Center for Adoption. After notifying the agency, the database was secured the following day. Let’s hope nobody else found it before that time.

In total, the unencrypted and non-password-protected database contained 1,115,061 records including the names of children, birth parents, adoptive parents, and other potentially sensitive information like case notes.

The risks of leaking this type of data and it potentially falling in the hands of cybercriminals are huge. The sensitivity of adoption-related data makes these exposures particularly damaging, both for children and families, since adoption records often include highly personal details about children, birth parents, adoptive parents, and agency staff.

Criminals that get their hands on this kind of information could engage in phishing with very specific information, making their queries plausible. And in some cases, the information could even be sensitive enough to use for extortion or identity theft.

The researcher notes:

“The records did not contain full case files, and the publicly exposed records were a combination of plain text and unique identifiers.”

He goes on to explain that unique identifiers are not necessarily a security enhancement.

“From a cybersecurity perspective, a UUID is designed for unique identification, not secrecy, and it can potentially be guessed, reverse-engineered, or enumerated. UUIDs are not recommended to be used to protect sensitive data.”

Given the long-standing reputation of an adoption center like Gladney, people feel confident to share their personal information. People providing that amount of trust should not be let down by something as basic as securing an online database with a password.

It should be noted that it is unknown whether the database was exposed by Gladney itself or a third-party provider.

Wired posted a statement by Gladney’s Chief Operating Officer, which was not very helpful in determining what went wrong:

“The Gladney Center for Adoption takes security seriously. We always work with the assistance of external information technology experts to conduct a detailed investigation into any incident. Data integrity and operations are our top priority.”

Protecting yourself after a data breach

While there are no indications that this database was found by cybercriminals before it was secured, it might have been. There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online and helps you recover after.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.