An unencrypted, non-password-protected database was discovered, associated with a prominent adoption agency. The database was 2.49 GB in size and contained 1,115,061 records. Information in the records indicated the database may belong to Gladney Centre for Adoption, though it is unknown if it was owned and operated by the organization directly or by a third-party.

Exposed information includes: 

• A folder labelled “contacts,” containing records of first and last names, phone numbers, emails, and addresses. This contained approximately 39,000 records. 
• A folder labelled “emails,” containing emails with subject lines and identifiable details, such as who sent the email. The email bodies were not exposed. This contained approximately 284,000 records. 
• A folder labelled “Birth Fathers,” containing information such as first, last, and middle names as well as specific details (such as family circumstances or legal issues). 

Data from adoption agencies are sensitive by nature. This exposure is a privacy concern as well as a potential risk, as this exposed data could allow malicious actors to determine the physical locations of children, birth parents, or adoptive parents without consent. 

When sent a responsible disclosure notice, the organization restricted the database the following day. It is not known how long the database was exposed, or if any malicious actors accessed it.