Et tu, FedEx? In what is now becoming an alarmingly regular occurrence, an unsecure AWS S3 server has exposed personal information of tens of thousands of users.
The server in question as affiliated with FedEx.
Kromtech Security Center researchers came across the exposed information, which included some 119,000 scanned documents like passports, driver’s licenses, and security IDs on an open S3 bucket belonging to Bongo International.
This was a company that FedEx purchased in 2014.
Customer records, including postal addresses, were also part of the leak.
And as Bob Diachenko, head of communications for Kromtech Security Center reveals, although the leaked data is old, it is not too old. Meaning, it might still come in very useful for identity thieves and other cybercriminals:
“Technically, anybody who used Bongo International services back in 2009-2012 is at risk of having his/her documents scanned and available online for so many years.
It seems like bucket has been available for public access for many years in a row. Applications are dated within 2009-2012 range, and it is unknown whether FedEx was aware of that ‘heritage’ when it bought Bongo International.”
The files belonged to customers in locations like Australia, Canada, China, Japan, Kuwait, Malaysia, Mexico, Saudi Arabia, and a number of European countries.
Goes without saying that the S3 bucket has since been locked down.
Nevertheless, this is another case of companies not paying attention to the security of their cloud configurations, even in the face of high-profile data leaks that have made headlines over the past couple of years.
Sadly, it doesn’t seem like things are changing, with the end result being that private information of end users coming at risk due to these security lapses.