Adoption Agency CRM Database Left Publicly Accessible

Security researcher Jeremiah Fowler uncovered a non-password-protected database in late June containing over 1.1 million records (2.49 GB) of extraordinarily sensitive adoption-related information. The trove included:

  • Full names, addresses, phone numbers, and email addresses of children, birth parents, and adoptive families
  • Detailed medical and mental health histories
  • Child Protective Services (CPS) interaction logs
  • Court orders and case-specific unique identifiers
  • Internal employee information

Fowler traced the database to Gladney Center for Adoption, a prominent Texas-based nonprofit, through employee records contained in the dataset. The exposure appeared to stem from a misconfigured customer relationship management (CRM) system—software platforms like Salesforce or Microsoft Dynamics used to manage client interactions.

"This is the first time I’ve seen adoption data exposed, and it stood out because these children are extremely vulnerable," Fowler told WIRED. "I believe this data was exposed during migration to a different system."

Technical Breakdown of the Exposure

The database remained publicly accessible for an unknown period before Fowler's discovery. Key technical concerns include:

  • Absence of authentication protocols: No password or encryption barriers prevented access
  • Cloud misconfiguration: Likely caused by improper access controls during system migration
  • Data sensitivity classification failure: Medical, legal, and familial relationship data wasn't segmented from basic PII
  • Lack of monitoring: No apparent detection of unauthorized access attempts

CRM systems typically store data in structured formats like SQL databases. Fowler's analysis suggests the exposed data followed relational database patterns, with tables linking children's case IDs to parent records, medical documents, and legal proceedings.

Response and Industry Implications

After Fowler's second notification attempt on June 26, Gladney secured the database within hours. The organization stated:

"We always work with external IT experts to investigate incidents. Data integrity and operations are our top priority... We comply with applicable laws and notify impacted individuals when sensitive information is affected."

This incident underscores systemic challenges in nonprofit tech infrastructure:

  • Resource constraints: Nonprofits often lack enterprise-grade security budgets
  • Migration risks: Data exposure frequently occurs during cloud transitions or system updates
  • Regulatory gaps: Specialized industries like adoption services lack specific cybersecurity frameworks

Security experts emphasize that CRM deployments require:

# Minimum CRM Security Configuration Checklist
authentication:
  - multi_factor_auth: enabled
  - role_based_access: strict
encryption:
  - data_at_rest: AES-256
  - data_in_transit: TLS 1.3+
monitoring:
  - access_logs: real-time_alerting
  - configuration_drift: automated_checks
data_handling:
  - pii_classification: automated_tagging
  - sensitive_data_masking: enabled

The exposure highlights how single misconfiguration events can compromise deeply sensitive lifetime records, creating risks for identity theft, familial disruption, and psychological harm. With adoption involving sealed court documents and confidential health information, the breach represents a particularly severe category of data leakage.

Gladney has not confirmed whether malicious actors accessed the data during the exposure window. The organization states it's working with law enforcement and strengthening its systems.

— Source: WIRED