FedEx Customer Data Exposed on Unsecured S3 Server
Thousands of documents from US and international citizens were exposed on an Amazon S3 bucket configured for public access.
Data belonging to thousands of global FedEx customers was exposed on an unsecured Amazon Simple Storage Service (S3) server configured for public access, Kromtech security analysts discovered earlier this month.
The exposed bucket belonged to Bongo International LLC, a company created to help North American companies market to customers around the world. FedEx acquired Bongo in 2014. Two years later, it relaunched it as FedEx Cross-Border International, which shut down in 2017.
Although the organization was closed, data inherited from 2009-2012 remained available on the server, exposing personal identifiable information from citizens representing Canada, Japan, China, Australia, the EU, and other countries until the bucket was removed from public access this month. The server contained more than 119,000 scanned documents including passports, driver’s licenses, and security IDs, in addition to scanned “Applications for Delivery of Mail Through Agent” forms with names, home addresses, phone numbers, and zip codes.
FedEx reports it has no evidence the data was compromised but is still investigating the matter. The company joins a growing list of organizations that have unintentionally compromised consumer data by failing to properly secure their Amazon S3 storage buckets — a trend that continues as more businesses move to the cloud without taking proper security precautions.
“We need to get our heads out of the clouds, because cloud services are only as secure as you make them,” says Brian NeSmith, CEO and cofounder at Arctic Wolf Networks. “Companies need to start applying the same rigor and discipline to their cloud infrastructure as they do to their on premises network.”
On top of that, a recently discovered search engine makes it easier to look for data left on misconfigured S3 servers. The service, dubbed BuckHacker, lets people search by file name or bucket name, which may include the name of the business using the server.
Source | darkreading