In a significant case of oversight in data security, a cybersecurity expert has uncovered a large-scale data leak involving over one million records tied to the Gladney Center for Adoption, a respected adoption agency based in Texas with more than a century of service. The unprotected and unencrypted database, found by a researcher and reported to Website Planet, included a wealth of private and potentially harmful information related to adoption proceedings, employee details, and sensitive organizational records.
A Serious Violation of Privacy
The uncovered database held 1,115,061 records, totaling 2.49 gigabytes of data, and was freely accessible online due to the lack of password protection or encryption. The records appeared to originate from a Customer Relationship Management (CRM) system, and included personally identifiable information (PII) such as full names, email addresses, home addresses, phone numbers, and more — stored in both plain text and UUID (Universally Unique Identifier) formats.
However, the data exposed went far beyond simple contact information. The database contained folders with deeply personal and legally sensitive material, including:
- Adoption application summaries with approval or rejection reasons
- Details about birth fathers, including their names and personal histories
- Staff data such as emails and timestamps of activity
- Correspondence with healthcare professionals and child welfare organizations
- Case notes on pregnancies, dormitory residents, financial information, and other internal records
Although the information spanned multiple years, evidence suggested that the database had only been created or uploaded shortly before it was discovered. This raises concerns about how long it may have been exposed — and if unauthorized parties accessed it during that window.
Questions Around Gladney’s Responsibility
While various files and metadata pointed directly to the Gladney Center for Adoption, it remains unclear whether Gladney itself maintained the database or if it was controlled by a third-party service provider. The researcher followed responsible disclosure protocols and alerted the agency. Although the database was taken offline the following day, Gladney has yet to issue a public response or acknowledgment of the incident.
Potential Harm to Vulnerable Individuals
The nature of the information exposed puts adoptive families, biological parents, and children at risk — many of whom are already in sensitive, emotionally charged situations. Such information could be exploited by cybercriminals for identity theft, targeted phishing, impersonation, or blackmail.
“Fraudsters could pose as agency staff or social workers, referencing real internal details to gain trust,” he noted. This type of deception could have serious financial, emotional, and psychological impacts on victims.
Clear Gaps in Security and Preventive Practices
The breach brings to light serious shortcomings in digital protection. While the dataset did not include complete case files, the presence of UUIDs, email subject lines, and case notes means that the data could be pieced together to reconstruct detailed profiles of individuals — violating their privacy and security.
To avoid such exposures in the future, organizations handling confidential data should implement multi-layered cybersecurity measures, such as:
- Encrypting all sensitive data
- Restricting access based on user roles
- Conducting regular system and security audits
- Training employees in privacy best practices and phishing awareness
- Minimizing retained data and securely archiving outdated files
UUIDs should never be used as a replacement for encryption, as they are not secure and can be guessed or systematically reverse-engineered.
A Wake-Up Call for Social Service Organizations
Although Gladney’s longstanding dedication to helping children and families is not in question, this incident illustrates that even trusted institutions can become vulnerable when cybersecurity is not adequately addressed. In a world where adoption records and family information are stored digitally, data protection must be a core component of an organization’s infrastructure.
The breach serves as a reminder that good intentions don’t excuse poor cybersecurity. Social service providers must treat their clients’ data with the same seriousness and care as the services they offer.
Protecting Families in the Digital Age
For families navigating the adoption process, this breach reinforces the importance of choosing agencies wisely and staying informed about their practices. The National Council for Adoption notes that while adoption is regulated on a state-by-state basis, international procedures involve federal oversight — yet still lack a universal legal framework. Meanwhile, the FBI has warned of fraudulent adoption schemes, encouraging prospective parents and birth families to watch for red flags like unverifiable credentials, excessive upfront fees, and coercive tactics.
Final Thoughts
The Gladney data leak reveals a harsh but necessary truth: data privacy is no longer optional. Especially in emotionally sensitive fields like adoption, the information entrusted to organizations must be protected with the highest standards of cybersecurity. Without it, even the most reputable and well-meaning organizations can unintentionally put those they serve at risk.
