In the region of 120,000 sets of sensitive FedEx customer data including driving licenses and passports have been left exposed due to an unsecured AWS S3 silo.
The discovery was made by Kromtech Security Center, recognising the weaknesses in the storage system stem from its set up conducted by Bongo International. This company was acquired by FedEx in 2014.
Following the acquisition the company was shut down, leaving the still valuable information vulnerable to cyber criminals. The massive amount of data is connected to individuals from acroos the globe.
Bob Diachenko, head of communications for Kromtech Security Center, said: “Citizens from all over the world left their scanned IDs – Mexico, Canada, EU countries, Saudi Arabia, Kuwait, Japan, Malaysia, China, Australia – to name a few.”
AWS S3 silos have previously been at the centre of instances of mass data exposure, one example that stands out is the Verizon data breach of 2017 in which 14 million subscribers were exposed. Phone numbers and account PINS among other details were found on an unprotected S3 silo.
“Technically, anybody who used Bongo International services back in 2009-2012 is at risk of having his/her documents scanned and available online for so many years. Seems like bucket has been available for public access for many years in a row. Applications are dated within 2009-2012 range, and it is unknown whether FedEx was aware of that “heritage” when it bought Bongo International back in 2014,” said Diachenko.
Customer data is becoming increasingly sought after by cyber criminals, with levels of cyber fraud soaring in recent years. Large scale data breaches and exposures are fuelling the fire, perpetuating further instances of cybercrime.
Speaking to ZDNet, FedEx said: “After a preliminary investigation we can confirm that some archived Bongo International account information located on a server hosted by a third-party, public cloud provider is secure. The data was part of a service that was discontinued after our acquisition of Bongo. We have found no indication that any information has been misappropriated and will continue our investigation.”