FedEx has exposed private information of thousands of its customers after the company left drivers licences and other sensitive data on a publicly accessible Amazon S3 server. The server belonged to Bongo International LLC, a company that helps US retailers in performing shipping calculations and currency conversions, to help sell products online to consumers around the world. [Bongo was acquired by FedEx in 2014 and the service was discontinued in April, 2017]
The exposure was first spotted by Kromtech Security Center, after which the company scrambled to secure the publicly accessible server to contain the situation. "Among other stuff, it contained more than 119 thousands of scanned documents of US and international citizens, such as passports, driving licenses, security IDs etc. IDs were accompanied by scanned "Applications for Delivery of Mail Through Agent" forms (PS Form 1583) - which also contained names, home addresses, phone numbers and zip codes," the security firm wrote.
The data was hosted on a password-less storage server that contained over 119,000 files. While a majority of records are on US nationals, the scanned IDs originated from several other countries as well, including Canada, Australia, Saudi Arabia, Japan, China, Mexico, and several European countries.
The exposed data included hundreds of thousands of scanned documents, including:
- Drivers' licenses
- National ID cards
- Work ID cards
- Voting cards
- Utility bills
- Vehicle registration forms
- Medical insurance cards
- Firearms licenses
- US military identification cards
- Credit cards (in a few cases)
"After a preliminary investigation, we can confirm that some archived Bongo International account information located on a server hosted by a third-party, public cloud provider is secure," FedEx spokesperson said.
"The data was part of a service that was discontinued after our acquisition of Bongo."
It should be noted that the documents were dated between 2009 and 2012, well ahead of FedEx' acquisition of Bongo. It remains unclear if the company was aware of this server. "This case highlights just how important it is to audit digital assets when a company acquires another and to ensure that customer data is secured and properly stored before, during, and after the sale,” Kromtech said.
"During the integration or migration phase is usually the best time to identify any security and data privacy risks."
Kromtech warns that anyone who used Bongo's services between 2009 and 2012 should consider their identity compromised.
FedEx assures that it has "found no indication that any information has been misappropriated" and will update after a thorough investigation.