Voluminous FedEx customer data exposed on unsecured server

16 Feb 2018

Thousands of customers of FedEx had their information exposed after the company left scanned passports, drivers' licenses, and other documentation on a publicly-accessible Amazon S3 server.

The scanned IDs are from countries all over the world, including the United States, Mexico, Canada, Australia, Saudi Arabia, Japan, China, and several European countries.

The IDs were attached to forms that had several pieces of personal information, including names, home addresses, phone numbers, and zip codes.

The server, discovered by researchers at the Kromtech Security Center, was secured as of Tuesday.

Kromtech said the server belonged to Bongo International LLC, a company that helps customers perform shipping calculations and currency conversations, and offers other services. Fed Ex acquired Bongo in 2014 and renamed it FedEx Cross-Border International a little over a year later it was discontinued in April 2017.

Researchers said yesterday, that passports, driver licenses and other sensitive documentation for thousands of FedEx customers were left inadvertently online, possibly for years.

The information was available to identity thieves and other malicious actors, researchers said yesterday.

Kromtech Security Center said overall, researchers found 119,000 scanned documents stored in a publicly available Amazon S3 bucket. Besides the photo ID scans, the bucket also contained completed US Postal Service forms that included names, home addresses, and phone numbers of people who requested to have mail delivered by an authorised agent.

"Citizens from all over the world left their scanned IDs - Mexico, Canada, EU countries, Saudi Arabia, Kuwait, Japan, Malaysia, China, Australia - to name a few," Kromtech researchers wrote.

According to commentators, the discovery of the customer IDs and other personal information suggests that not only was the information never properly secured to start with, but FedEx officials failed to purge the data on discontinuation of the service.

According to Kromtech, the information may have been available since 2009.