- Gladney Center for Adoptions CRM generated lots of sensitive data
- This data was stored in a non-encrypted, non-passord-protected database
- The database contained names, addresses and more
Gladney Center for Adoption, a non-profit adoption agency, leaked sensitive information about children, parents, employees and other people by storing an unprotected database.
Earlier this week, Jeremiah Fowler, a security researcher, who is known for hunting for non-password protected, non-encrypted databases, found one that was 2.49 GB in size and who contained more than 1.1 million records.
The registrations included the names of children, birth parents, adopted parents, employees and leads. In addition to the names, there were also telephone numbers, postal addresses, information about “birth fathers” and data on whether people were approved or denied, and became an adoptive parent.
Abusing info for phishing
The information is very sensitive and as such – very valuable to cyber criminals. Crooks can use it to create custom-built, compelling phishing emails through which they can implement malware, steal bank information or other login credentials, resulting in identity theft, thread fraud and possibly ransomware.
For example, a cyber criminal may find a person who was previously refused to become a fetal parent and send them an E email notifying them of a change in their status. To finish the process, however, they had to pay a fee within a 24-hour window. This is just a theoretical example of how Crooks could abuse Gladney’s data.
The good news is that there is no evidence that someone discovered the archive before Fowler did. As soon as the database was found, the researcher reached out to Gladney, which locked it almost immediately. We do not know how long it remained active and to be sure that the files were not stolen – there would be a detailed forensic analysis.
We also do not know if Gladney was the one who maintained this database or whether it was a third party’s work. We know it was generated by a curse relationship management (CRM) system.
Via Site plane
