Unsecured database at Gladney Centre for Adoption exposes over 1.1 million sensitive records

A misconfigured and publicly accessible database tied to the Gladney Centre for Adoption has exposed more than 1.1 million sensitive records involving children, parents, employees, and donors, according to a cybersecurity researcher.

The discovery was made earlier this week by Jeremiah Fowler, a well-known security analyst who specializes in identifying unprotected databases. Fowler reported that the 2.49-gigabyte database was not password-protected or encrypted, making it freely accessible to anyone on the internet.

The exposed data included full names, physical addresses, phone numbers, email addresses, adoption case notes, and information related to both birth and adoptive families. Some records also contained mental and medical health details, court documents, and internal notes from child protective services, along with staff and donor information.

Fowler noted that while the records appeared to be linked to Gladney, it is unclear whether the organization managed the database directly or if it was hosted by a third-party service provider. The system was reportedly generated from a Customer Relationship Management (CRM) platform commonly used to manage client data.

After receiving Fowler’s responsible disclosure notice, the Gladney Centre acted swiftly to restrict access to the database, which was taken offline within hours of being notified. However, the duration of the exposure remains unknown, and there is currently no forensic evidence to confirm whether the data was accessed or stolen by unauthorized parties.

The nature of the leaked data raises serious concerns about privacy and security, especially for vulnerable individuals involved in adoption or foster care. Cybersecurity experts warn that criminals could weaponize this information for a range of malicious activities, including identity theft, phishing schemes, and even extortion. For instance, a scammer could impersonate agency personnel to manipulate families or solicit fraudulent payments by exploiting adoption case histories.

Although there is no indication the data has been misused so far, security professionals emphasize that its sensitive nature makes it highly valuable on the dark web. The incident has prompted renewed calls for stronger cybersecurity practices within nonprofit and child welfare organizations.

Fowler did not attribute any malicious intent to the Gladney Centre but cautioned that the full impact of the exposure cannot be determined without a detailed forensic review.

Founded in 1887 and headquartered in Texas, the Gladney Centre for Adoption is one of the most established adoption agencies in the United States, with a mission to place children in loving homes. The breach has raised serious questions about data stewardship and digital safeguards at institutions responsible for protecting some of society’s most vulnerable populations.