Wednesday, 26 September, 2018

FedEx locks down unsecured Amazon S3 server that leaked customer data

Enlarge  A redacted copy of data Fed Ex employees left on a publicly accessible Amazon Enlarge A redacted copy of data Fed Ex employees left on a publicly accessible Amazon
Nellie Chapman | 18 February, 2018, 10:55

According to Kromtech, more than 119,000 scanned documents were discovered on the server.

An unsecured Amazon Web Services bucket holding personal information and scans of IDs of some 119,000 U.S. and global citizens has been found sitting online by Kromtech security researcher earlier this month. But for thousands of people in the United States, Mexico, Canada, Australia, Saudi Arabia, Japan, China and several European countries, it's not necessarily time to change your name and move to Poland, but the fact is that some of their personal information such as their names, home addresses, phone numbers and zip codes were attached to picture IDs on the unsecured server. The server was found to be owned by Bongo International, a company that provided USA retailers with services to facilitate cross-border shipping exchanges. Kromtech researchers concluded that the data was the property of a company called Bongo International, a company that helped USA retailers sell to customers in other countries.

Cloud Pro has contacted FedEx for a comment on the data leak, but the company has yet to respond. Almost 120,000 consumers were left exposed by the issue. The files appear to have been created for use when verifying the identities of new Bongo International customers.

Nevertheless, Kromtech said the server has since been removed from public access entirely.

"This case highlights just how important it is to audit digital assets when a company acquires another and to ensure that customer data is secured and properly stored before, during, and after the sale", the researchers continued.

In a statement, FedEx officials wrote: "After a preliminary investigation, we can confirm that some archived Bongo International account information located on a server hosted by a third-party, public cloud provider is secure". However Bob Diachenko, head of communications at Kromtech, said, "It is unknown whether FedEx was aware of [this] "heritage" when it bought Bongo International back in 2014".

The unsecured Amazon S3 storage server formerly belonged to startup Bongo International, which helped North American merchants with international purchases and deliveries.

Customer data found on an unsecured Amazon server may have been there for years. Kromtech said the information may have been available since 2009. "We have found no indication that any information has been misappropriated and will continue our investigation".