Credit: The original article is published here.
- Gladney Centre for Adoption’s CRM was generating plenty of sensitive data
- That data was being stored in an unencrypted, non-password-protected database
- The database contained names, addresses, and more
Gladney Centre for Adoption, a non-profit adoption agency, was leaking sensitive information about children, parents, employees, and other people by keeping an unprotected database.
Earlier this week, Jeremiah Fowler, a security researcher known for hunting for non-password-protected, unencrypted databases, found one that was 2.49 GB in size, and which contained more than 1.1 million records.
The records included names of children, birth parents, adopted parents, employees, and leads. Besides the names, there were also phone numbers, postal addresses, information about “birth fathers”, and data on whether people were approved, or denied, becoming an adoptive parent.
Save up to 68% on identity theft protection for TechRadar readers!
TechRadar editors praise Aura’s upfront pricing and simplicity. Aura also includes a password manager, VPN, and antivirus to make its security solution an even more compelling deal.
Preferred partner (What does this mean?)View Deal
Abusing the info for phishing
The information is highly sensitive, and as such – very valuable to cybercriminals. Crooks can use it to create custom-built, convincing phishing emails, through which they can deploy malware, steal banking information, or other login credentials, resulting in identity theft, wire fraud, and possibly ransomware.
For example, a cybercriminal might find a person that was previously denied becoming a foster parent, and send them an email notifying them of a change in their status. However, to finalize the process, they would need to pay a fee within a 24-hour window. This is just a theoretical example of how crooks could abuse Gladney’s data.
The good news is, there is no evidence anyone discovered the archive before Fowler did. As soon as the database was found, the researcher reached out to Gladney, who locked it down almost immediately. We don’t know for how long it remained active, and to be certain the files weren’t stolen – there would need to be a detailed forensic analysis.
We also don’t know if Gladney was the one maintaining this database, or if that was the work of a third party. We do know that it was generated by a Customer Relationship Management (CRM) system.
Via Website Planet
You might also like
- Public database exposed 184 million credentials including Microsoft, Facebook, Snapchat, and government account logins
- Take a look at our guide to the best authenticator app
- We’ve rounded up the best password managers