Massive data leak in the Agency adoption of Texas contains 1.1 million data records

“During the scanning of the web for exposed databases, cyber security researcher Jeremiah Fowler discovered a lot of unprotected records that were linked to the Gladney Center for adoption without making a password online, without encryption and accessible to anyone.”

The database with 2.49 gigabytes and more than 1.1 million records contained deeply sensitive information about children, adoptive parents, birth families and internal staff. Everything from names and contact details to case notes and private reviews was accessible to everyone with an internet connection, especially for those who know how to find exposed cloud servers, which are very familiar.

Fowler quickly sent a responsible disclosure to the organization, which was considered a source. The data was secured the following day, but there are questions about how long they were exposed and whether someone else had accessed it before they were taken offline.

What this data deleted particularly worrying was not only the data volume, but the way. The records seemed to come from a CRM platform (Customer Relationship Management), with the fall work and communication throughout the company.

In folders with the name “contacts”, “applications” and “birth fathers”, Fowler found detailed records in which the personal stories of the applicants, reasons for the rejection of adoptions, family background and even mentioning the use of substance or legal matters were described. While there were no complete case files, each entry was contained just enough details to make them a goal for social engineering or fraud.

According to Fowler's report with HackRead.com, one of the more sensitive areas included 284,000 e -mail metadata records. Although the complete e -mail body was not uncovered, the subject lines sometimes contain names or references that could give away the context. In some records, public relations between the agency and providers of the healthcare system or social service were listed, which further enhances the potential data protection failures if this data had fallen into the wrong hands.

The records included years in the company's history, but evidence indicates that the database itself was recently created or exported. It remains unclear whether the system was hosted internally or by a provider of third -party providers. Fowler never received an answer to his disclosure, so there is little clarity about the full extent of the exposure or whether a forensic review was carried out.

From a technical point of view, the data records were a mixture of simple text and Uuids (universally clear identifiers), which are typically used in CRM systems to link data. These identifiers may look complex, but they are not intended to protect sensitive content. Without encryption, they do not offer meaningful protection if they are accessed by non -authorized users.

Fowler emphasized that encryption of data, especially if you affect children or health -related content, should be a basic standard. He also suggested that companies restrict internal access to sensitive data, check their systems regularly and train employees in basic cyber security hygiene. Older data that is no longer used should be archived or deleted to limit the consequences of leaks.

Fowler's report accused Gladney or his associated companies neither misconduct, nor did the data have been abused. However, he pointed out that the exposed data could enable hypothetically real estate tests, phishing fraud or even extortion. Families that are involved in adoption often have stressful and personal experiences, and such leaks make them more susceptible.

In this case, the data did not seem to be stolen or shared. Fowler only made minimal screenshots for checking and not invited or kept any of the content. His reporting was directed by ethics, transparency and an obligation to better data security in the areas that process personal data.