119,000 FedEx users’ passports, security ID & driving licenses exposed

Share this…

FedEx customer data has been exposed online, thanks to unsecured AWS S3 bucket. In July 2017, FedEx Corporation announced that its subsidiary company TNT Express was facing issues due to the infection caused by Petya ransomware attack. In the attack the company remained clueless regarding the revival of some of the affected systems while its quarterly profit was slashed by up to $300 million.

Now, a cyber security firm has discovered data dating from 2009-2012 belonging to FedEx’s customers which were exposed online for anyone to access.

The company found 119,000 customer records including scanned copies of passports, driving licenses and security IDs of Americans and international customers such as Australia, Canada, China, Japan, Kuwait, Mexico, Malaysia, Saudi Arabia, EU and others.

fedex

According to the cyber security company, one of the files also contained names, phone numbers, home addresses, and zip codes of customers however no emails or passwords were found in the unsecured Amazon Web Services (AWS) S3 bucket.

In addition, researchers affirm that the data was never accessed by third or malicious parties. In-depth investigation by information security researchers revealed that the data belonged to Bongo International LLC, a company that FedEx bought back in 2014. However, the service was shut down in April 2016 yet the data remained on the server.

A cloud cyber security expert, told us via email that:

“Cloud security breaches have plagued the industry for over a year now. Unfortunately, this problem is not going away anytime soon despite cloud service providers’ efforts to provide additional tools to organizations to detect such misconfigurations since changes to sharing permissions for these services are being made by users without any oversight of a information security professional.

“Even if an organization enforces strict monitoring to ensure such mistakes are not made within its own public cloud environment, it still needs to ensure that third-party providers that have access to the organization’s sensitive data are taking similar measures. In the case of FedEx, this breach was the result of negligence on the part of Bongo International.”

Even though the data has been secured, the nightmare for FedEx just begin since the exposed data contained personal data of EU citizens. Remember, European Union countries have strict laws to protect the privacy of its citizens.