FedEx left hundreds of thousands of personal records exposed on unsecured S3 server

The information included passport scans, drivers' licenses and medical insurance cards

119,000 personal documents have been exposed through an unsecured AWS S3 server administered by FedEx, in a data breach that would have GDPR overseers rubbing their hands had it happened just three months later.

These documents, dating from 2009-2012, included scans of passports, driving licenses and national cards. They were accompanied by ‘Applications for Delivery of Mail Through Agent' forms (PS Form 1583), which also show names, home addresses, phone numbers and postal codes.

Most of the exposed data belonged to US citizens, but - FedEx being a global company - some also belonged to residents of Mexico, Canada, Saudi Arabia, Kuwait, Japan, Malaysia, China, Australia and unnamed ‘EU countries'.

Kromtech Security Center, which first identified the open server, said that the data initially belonged to a company called Bongo International LLC, a company that helped US retailers to sell products online to consumers around the world.

FedEx acquired Bongo in 2014 and relaunched it as FedEx Cross-Border International in 2016. However, the service was shut down in April last year.

Despite FedEx discontinuing the International Shopper service, the data remained publicly available until Kromtech was able to alert the firm - via a contact at ZDNet, after multiple attempts to get in touch directly had failed.

It is standard practice in any M&A for the acquired company to tell its buyer about any and all assets. However Bob Diachenko, head of communications at Kromtech, said, "It is unknown whether FedEx was aware of [this] ‘heritage' when it bought Bongo International back in 2014."

‘This case highlights just how important it is extremely important to audit the digital assets when a company acquires another and to ensure that customer data is secured and properly stored before, during, and after the sale,' Kromtech added in its report.

Alex Heid, white hat hacker and Chief Research Officer at SecurityScorecard, said, "This latest instance of a leaking database from the Amazon S3 network appears to be yet another result of the implementation of new technologies without a full understanding of the features and access controls. The problem is a percentage of people will always skip over the access control restrictions part of documentation, or may even believe to have implemented it correctly."

For its part, FedEx ‘found no indication that any information has been misappropriated' and committed to continuing an investigation.

As EU citizens' records were exposed on the server, FedEx would have been liable for GDPR fines (up to €20 million or four per cent of global annual turnover) if this information had been revealed after the 25th of May.

Despite the very personal nature of the records, this breach was still much less damaging than the NotPetya attack on FedEx subsidiary TNT Express last year, which cost it as much as $300 million.