Massive Data Leak at Texas Adoption Agency Exposes 1.1 Million Records
“While scanning the web for exposed databases, cybersecurity researcher Jeremiah Fowler discovered a massive set of unprotected records linked to the Gladney Center for Adoption, left online without a password, without encryption, and accessible to anyone.”
The database, containing 2.49 gigabytes and holding more than 1.1 million records, included deeply sensitive information about children, adoptive parents, birth families, and internal staff. Everything from names and contact details to case notes and private assessments was accessible to anyone with an internet connection, especially to those who know how to find exposed cloud servers, something cybercriminals are very familiar with.
Fowler quickly sent a responsible disclosure notice to the organization believed to be the source. The data was secured the following day, but questions remain about how long it was exposed and whether anyone else accessed it before it was taken offline.
What made this data leak especially concerning was not just the volume of data but the nature of it. The records appeared to come from a CRM (Customer Relationship Management) platform used to manage casework and communication across the organization.
In folders labeled “contacts,” “applications,” and “birth fathers,” Fowler found detailed records describing applicants’ personal histories, reasons for adoption denials, family backgrounds, and even mentions of substance use or legal matters. While there were no full case files, each entry carried just enough detail to make them a target for social engineering or fraud.
According to Fowler’s report shared with Hackread.com, one of the more sensitive areas included 284,000 email metadata records. Though the full email bodies weren’t exposed, subject lines sometimes included names or references that could give away context. Some records listed outreach between the agency and healthcare or social service providers, further adding to the potential privacy fallout if this data had fallen into the wrong hands.
The records spanned years of operational history, but evidence suggested the database itself had only recently been created or exported. Whether the system was hosted internally or by a third-party vendor remains unclear. Fowler never received a response to his disclosure, so there’s little clarity about the full extent of the exposure or whether any forensic review was conducted.
From a technical perspective, the records were a mix of plain text and UUIDs (Universally Unique Identifiers), which are typically used in CRM systems to link data. These identifiers may look complex, but they aren’t meant to protect sensitive content. Without encryption, they offer no meaningful protection if accessed by unauthorized users.
Fowler emphasized that encrypting data, especially when it involves children or health-related content, should be a baseline standard. He also suggested organizations limit internal access to sensitive data, regularly audit their systems, and train staff on basic cybersecurity hygiene. Older data no longer in use should be archived or deleted to limit the fallout in case of leaks.
Fowler’s report did not accuse Gladney or its affiliates of wrongdoing, nor did it claim the data was misused. However, he pointed out that the exposed data could hypothetically enable impersonation attempts, phishing scams, or even blackmail. Families involved in adoption often go through stressful and personal experiences, and such leaks make them more vulnerable.
In this case, the data did not appear to be stolen or shared. Fowler only took minimal screenshots for verification and did not download or retain any of the content. His reporting was guided by ethics, transparency, and a commitment to better data security across sectors handling personal information.
