Major Data Breach at Adoption Agency Exposes Over a Million Records
Discover the alarming details of a recent data breach at the Gladney Center for Adoption, where over a million sensitive records were exposed. Learn about the implications, risks, and how to protect yourself in the aftermath.
TL;DR
- Security researcher Jeremiah Fowler discovered a publicly accessible database containing highly sensitive information from the Gladney Center for Adoption.
- The database contained 1,115,061 records, including names of children, birth parents, adoptive parents, and case notes.
- The breach highlights the risks of exposing sensitive adoption-related data and the importance of securing online databases.
Major Data Breach at Adoption Agency Exposes Over a Million Records
Security researcher Jeremiah Fowler recently uncovered a publicly accessible database containing highly sensitive information from an adoption agency. Fowler, known for his work in identifying exposed cloud storage, found the database during his routine searches. The nature of the information immediately raised concerns, prompting him to investigate the source.
Research indicated that the database belonged to the Fort Worth (TX) based non-profit Gladney Center for Adoption. After notifying the agency, the database was secured the following day. However, it is uncertain whether any malicious actors accessed the data before it was secured.
The unencrypted and non-password-protected database contained 1,115,061 records, including the names of children, birth parents, adoptive parents, and other potentially sensitive information like case notes. The exposure of such data poses significant risks, as adoption records often include highly personal details about children, birth parents, adoptive parents, and agency staff.
Risks and Implications
The sensitivity of adoption-related data makes these exposures particularly damaging. Cybercriminals could use this information for targeted phishing attacks, making their queries more plausible. In some cases, the information could be sensitive enough to use for extortion or identity theft.
The researcher noted that while the records did not contain full case files, they included a combination of plain text and unique identifiers. However, unique identifiers are not necessarily a security enhancement:
“From a cybersecurity perspective, a UUID is designed for unique identification, not secrecy, and it can potentially be guessed, reverse-engineered, or enumerated. UUIDs are not recommended to be used to protect sensitive data.”
Given the long-standing reputation of an adoption center like Gladney, people trust the agency with their personal information. This trust should not be compromised by something as basic as securing an online database with a password.
Agency Response
It is unclear whether the database was exposed by Gladney itself or a third-party provider. Wired posted a statement by Gladney’s Chief Operating Officer, which did not provide much clarity on what went wrong:
“The Gladney Center for Adoption takes security seriously. We always work with the assistance of external information technology experts to conduct a detailed investigation into any incident. Data integrity and operations are our top priority.”
Protecting Yourself After a Data Breach
While there are no indications that this database was found by cybercriminals before it was secured, it is possible. If you are, or suspect you may have been, the victim of a data breach, consider the following actions:
- Check the vendor’s advice: Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
- Change your password: Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
- Enable two-factor authentication (2FA): If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
- Watch out for fake vendors: The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify the identity of anyone who contacts you using a different communication channel.
- Take your time: Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
- Consider not storing your card details: It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
- Set up identity monitoring: Identity monitoring alerts you if your personal information is found being traded illegally online and helps you recover after.
Conclusion
The data breach at the Gladney Center for Adoption highlights the critical importance of securing sensitive information. While the full extent of the damage is yet to be determined, it serves as a reminder for individuals and organizations to prioritize data security. By taking proactive measures, such as enabling two-factor authentication and using strong passwords, individuals can better protect themselves from the potential fallout of data breaches.
For more details, visit the full article: source