FedEx left customer passport scans on unsecured server

Posted Feb 16, 2018 by James Walker
FedEx has admitted it left sensitive customer data on an unsecured server. Files including passport copies and driving licenses were available for public download for months. FedEx claimed there's no indication the files have been accessed maliciously.
A FedEx truck enters a distribution center in San Rafael  California
A FedEx truck enters a distribution center in San Rafael, California
Justin Sullivan, Getty/AFP/File
The discovery was made by researchers at the Kromtech Security Center who "stumbled upon" a publicly accessible Amazon S3 server containing over 119,000 files related to FedEx customers. The server was found to be owned by Bongo International, a company that provided U.S. retailers with services to facilitate cross-border shipping exchanges.
FedEx acquired Bongo International in 2014 and subsequently shut the company down. The Amazon S3 server remained online though, either having been overlooked or set up later to store archived material. It lacked any protection so external web users could browse the files stored on it.
The information on the server was highly sensitive and could enable precise identification of individuals. Amongst the files confirmed to be present are scans of national identity cards, driving licenses, passports, vehicle registration forms and even U.S. military identification cards. Many of the files have been independently verified with their owners by security researchers and journalists.
The find is highly significant as it suggests anyone who used the services of Bongo International may have been put at risk of having sensitive data stolen. Because the server was open to the public, it's possible the files were found and accessed before Kromtech security came across it. All the records were unencrypted and uploaded between 2009 and 2012.
READ NEXT: Canadian AI accelerator joins supply chain "supercluster"
After discovering the server this week, Kromtech began urgent attempts to contact FedEx and get it pulled offline. When the company failed to respond, the security firm contacted news site ZDNet. Only then was contact made with FedEx which has finally taken the server down.
Kromtech has confirmed the files are no longer publicly accessible. In comments to ZDNet, FedEx acknowledged the authenticity of the data but claimed there's no indication it was accessed prior to Kromtech's investigation.
"After a preliminary investigation, we can confirm that some archived Bongo International account information located on a server hosted by a third-party, public cloud provider is secure," said FedEx to ZDNet. "The data was part of a service that was discontinued after our acquisition of Bongo. We have found no indication that any information has been misappropriated and will continue our investigation."
FedEx hasn't elaborated on what its investigation will look at or whether the authorities will be involved. Considering the sensitivity of the data involved, the breach will be alarming to people who are caught up in it. The files appear to have been created for use when verifying the identities of new Bongo International customers.