Cybersecurity researcher Jeremiah Fowler has discovered a significant security lapse involving sensitive adoption records. Fowler identified an unprotected, publicly accessible database belonging to a prominent U.S. adoption agency. The database, left online without password protection or encryption, presented a major privacy risk to thousands of individuals involved in adoption cases.
Details of the Data Exposure
The exposed database contained more than 1.1 million records—approximately 2.5 GB of data—pertaining to children, biological and adoptive parents, and agency employees. Among the information compromised were:
- Full names and contact details
- Home addresses, phone numbers, and email addresses
- Case notes relating to adoption proceedings
- Medical and mental health information concerning children
- References to court orders and communications with Child Protective Services
- Agency internal data and unique identifiers for each case
Analysis indicated the records originated from a Customer Relationship Management (CRM) platform the adoption agency used to coordinate sensitive processes.
Identification of the Agency
Through his investigation, Fowler traced the unsecured records to the Gladney Center for Adoption, a Texas-based nonprofit that has served families and children for over 130 years. Agency-specific and employee information within the database facilitated this identification.
Response and Remediation
Upon discovery, Fowler promptly alerted the Gladney Center for Adoption by issuing a responsible disclosure. The organization responded rapidly, restricting public access and securing the data within 24 hours of notification. At the time of reporting, there was no confirmed evidence that malicious parties accessed or exploited the compromised information while it was exposed.
