In a troubling case of digital negligence a cybersecurity researcher recently uncovered a massive data exposure involving over one million records linked to the Gladney Center for Adoption, a well-established Texas-based agency with a 130-year legacy. The unencrypted and publicly accessible database, discovered and reported by Website Planet, exposed deeply personal and potentially damaging information tied to adoption cases, employees, and sensitive internal communications.

A Massive Breach of Confidentiality

The exposed database contained 1,115,061 records, occupying 2.49 GB of storage, and was left wide open — without password protection or encryption. The analysis revealed that the data appeared to originate from a Customer Relationship Management (CRM) system. Among the data were names, physical addresses, emails, phone numbers, and other personally identifiable information (PII) in both plain text and UUID formats.

Notably, the information extended far beyond mere contact details. Several folders held emotionally and legally sensitive content, including:

  • Notes on adoption applications, including grounds for approval or denial.
  • Details about birth fathers, including full names and legal or family circumstances.
  • Internal employee records, including email addresses and modified timestamps.
  • Communications with medical professionals, CPS (Child Protective Services), and other social services.
  • A wide range of records covering leads, dorm residents, medical expenses, and pregnancies.

Though the records spanned many years, indications suggested that the database had been created or uploaded shortly before its discovery, raising questions about how long it was publicly accessible — and whether any malicious actors accessed it before it was secured.

Gladney Center for Adoption Implicated

While internal data pointed toward the Gladney Center for Adoption as the source, The researcher was unable to confirm whether the database was managed by Gladney directly or a third-party vendor. Following responsible disclosure protocols, he notified the organization, and the database was secured the next day. However, Gladney did not respond to the disclosure, and no formal acknowledgment or public statement has been made to date.

Real-World Risks from Digital Exposure

The sensitivity of the exposed information poses significant risks to the individuals involved, particularly those in emotionally vulnerable circumstances, such as birth parents and adoptive families.

“Criminals could hypothetically leverage these records for identity theft, phishing, blackmail, or impersonation schemes,” the expert warned. “When dealing with adoptions, individuals are more likely to respond to messages referencing personal details they believe are only known to the agency.”

This kind of exploit could be devastating, not only for its financial or legal consequences but for the emotional toll it could take on affected individuals.

Security Lapses and Preventative Measures

The breach shines a spotlight on fundamental security failures, such as the absence of data encryption and access controls. While the data did not include full case files, the fragments — UUIDs, subject lines, and internal notes — could serve as puzzle pieces that, when assembled, present a comprehensive and invasive view of a person’s private life.

Organizations dealing with sensitive personal data adopt a layered security approach, including:

  • Encryption of all sensitive data
  • Strict user access controls
  • Regular audits and monitoring
  • Staff training on data privacy and phishing
  • Minimizing data retention and archiving outdated files

He also cautioned against relying on UUIDs as a security measure. These identifiers are meant for unique referencing, not protection, and can be enumerated or reverse-engineered if exposed.

A Wake-Up Call for Data Protection in Social Services

Despite the breach, Gladney’s mission and long-standing efforts to support children and families. However, he stressed that no amount of goodwill can substitute for strong cybersecurity practices, especially when dealing with sensitive populations like children and families navigating the adoption process.

This incident serves as a stark reminder that even the most reputable organizations are vulnerable when data protection is not prioritized. As technology becomes more integrated into social services, the risks of digital exposure increase — but so too do the responsibilities of those managing such data.

For prospective adoptive parents and birth families, it’s crucial to vet agencies carefully and remain informed. According to the National Council for Adoption, regulations vary by state, and international adoptions involve federal oversight but still lack a unified national code. The FBI also warns against adoption fraud, urging vigilance in recognizing red flags, from unverified credentials to coercive tactics.

The Gladney data breach underscores a painful truth: good intentions are not enough in the digital age. Organizations must treat the privacy of their clients — especially those in emotionally sensitive situations — as a top-tier asset, just as critical as the services they provide.