What you need to know about the major FedEx data leak

16 Feb 2018

FedEx parcels. Image: monticello/Shutterstock

FedEx customer data found on an unsecured Amazon server may have been there for years.

Data breaches dominated the headlines last year, with major firms such as Uber and Equifax under fire for leaving massive amounts of data exposed. Now, global package delivery firm FedEx has admitted that it left customer records on an unsecured Amazon S3 server.

Security firm Kromtech found the unsecured, publicly accessible S3 bucket on 5 February, which contained more than 100,000 files. The information stored in the server included numerous scanned documents from people scattered across the globe, including citizens of the US, Mexico, Saudi Arabia and many other countries.

Kromtech researchers concluded that the data was the property of Bongo International, a company that helped US retailers sell to customers in other countries.

FedEx acquired Bongo International in 2014, relaunching it in 2016 as FedEx Cross Border. The service was shuttered a year later. Anyone could sign up to the service by completing a US Postal Service form that regulated the handling and reception of a person’s mail. A form of identification was also required along with completing the document itself. This information was all left exposed on the Amazon S3 bucket.

Personal documents found on AWS server

Driving licences, national identification cards, work IDs, voting cards and utility bills are just some of the documents researchers stumbled upon. They even found details of a senior official at the ministry of defence in the Netherlands. Home addresses were also easily available on the postal forms found on the server.

Documents date back to 2008 and the server was updated until September 2015. Although much of the information is now expired, there was still a major risk of identity theft due to the unsecured nature of the server.

A FedEx spokesperson, Jim McCluskey, said: “After a preliminary investigation, we can confirm that some archived Bongo International account information located on a server hosted by a third-party, public cloud provider is secure.

“The data was part of a service that was discontinued after our acquisition of Bongo. We have found no indication that any information has been misappropriated, and will continue our investigation.”

Bob Diachenko, head of communications at Kromtech, said: “Technically, anybody who used Bongo International services back in 2009-2012 is at risk of having his/her documents scanned and available online for so many years.”

Implementing new technology without a full understanding

According to Alex Heid, white hat hacker and chief research officer at SecurityScorecard, this latest instance of a leaking database from the Amazon S3 network “appears to be yet another result of the implementation of new technologies without a full understanding of the features and access controls.

“The problem is, a percentage of people will always skip over the access control restrictions part of documentation, or may even believe to have implemented it correctly. Also, there has been a release of Amazon S3 enumeration tools, which allow attackers, researchers and companies the ability to discover these exposed instances.”

Cloud security expert, and CEO and co-founder of RedLock, Varun Badhwar, said cloud security breaches such as this have plagued the industry for more than a year now. “Unfortunately, this problem is not going away any time soon despite cloud service providers’ efforts to provide additional tools to organisations to detect such misconfigurations, since changes to sharing permissions for these services are being made by users without any security oversight.”

FedEx parcels. Image: monticello/Shutterstock

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects