119,000 FedEx users​ ​passports, security ID & driving licenses exposed

119,000 FedEx users​ ​passports, security ID & driving licenses exposed
One of the leaked passport scanned copies exposed in the data (Image credit: Kromtech)

It is just another day with just another privacy invasion – This time it is FedEx whose customer data has been exposed online, thanks to unsecured AWS S3 bucket.

In July 2017, FedEx Corporation, a multinational courier delivery services company based in the United States announced that its subsidiary company TNT Express was facing issues due to the infection caused by nasty Petya ransomware attack. The attack was so serious that the company remained clueless regarding the revival of some of the affected systems while its quarterly profit was slashed by up to $300 million.

Now, FedEx is back in news for all the wrong reasons as the IT security firm Kromtech has discovered a trove of data dating from 2009-2012 belonging to FedEx’s customers which were exposed online for anyone to access with an Internet connection.

In total, the company found 119,000 customer records including scanned copies of passports, driving licenses and security IDs of Americans and international customers such as Australia, Canada, China, Japan, Kuwait, Mexico, Malaysia, Saudi Arabia, EU countries and others.

119,000 FedEx users​ ​passports, security ID & driving licenses exposed
One of the leaked passports scanned copies exposed in the data (Image credit: Kromtech)

According to Kromtech’s blog post, one of the files also contained names, phone numbers, home addresses, and zip codes of customers however no emails or passwords were found in the unsecured Amazon Web Services (AWS) S3 bucket. Furthermore, researchers affirm that the data was never accessed by third or malicious parties.

119,000 FedEx users​ ​passports, security ID & driving licenses exposed
The document files in the exposed data (Image credit: Kromtech)

Moreover, an in-depth investigation by researchers revealed that the data belonged to Bongo International LLC, a company that FedEx bought back in 2014 and provides package and mail forwarding services for customers worldwide. However, the service was shut down in April 2016 yet the data remained on the server.

Kromtech security researchers discovered the data on on February 5th, 2017 but after several failed attempts to get in touch with the related authorities at FedEx, the researchers connected with ZDnet and on February 13th the company removed the data from the exposed S3 bucket.

Varun Badhwar, a cloud security industry expert, and CEO and co-founder of RedLock told HackRead via email that:

“Cloud security breaches due to publicly exposed cloud storage services such as the one at FedEx have plagued the industry for over a year now. Unfortunately, this problem is not going away anytime soon despite cloud service providers’ efforts to provide additional tools to organizations to detect such misconfigurations since changes to sharing permissions for these services are being made by users without any security oversight.

“Even if an organization enforces strict monitoring to ensure such mistakes are not made within its own public cloud environment, it still needs to ensure that third-party providers that have access to the organization’s sensitive data are taking similar measures. In the case of FedEx, this breach was the result of negligence on the part of Bongo International, a company that was acquired by FedEx 4 years ago.”

Although the data has been secured, the nightmare for FedEx might just begin since the exposed data contained personal data of EU citizens. Remember, European Union countries have strict laws to protect the privacy of its citizens. For example, Facebook has been facing a tough time in France and a lawsuit in  Belgium over tracking users. It will be interesting to see if the EU will make a move or warn FedEx over the breach.

Related Posts