FedEx Customer Records Exposed
On February 5th Kromtech security researchers have stumbled upon another Amazon S3 bucket, set for public access.
Among other stuff, it contained more than 119 thousands of scanned documents of US and international citizens, such as passports, driving licenses, security IDs etc. IDs were accompanied by scanned "Applications for Delivery of Mail Through Agent" forms (PS Form 1583) - which also contained names, home addresses, phone numbers and zip codes.
Citizens from all over the world left their scanned IDs - Mexico, Canada, EU countries, Saudi Arabia, Kuwait, Japan, Malaysia, China, Australia - to name a few.
After analyzing the data, Kromtech security experts concluded that data apparently belonged to Bongo International LLC - a company which specialized in helping North American retailers and brands sell online to consumers in other countries.
In 2014 FedEx Corp. bought Bongo International and 14 months later, in 2016, relaunched it as FedEx Cross-Border International, to “address international purchasing obstacles with a seamless checkout and delivery approach that accepts over 80 currencies, provides 15 payment options, manages multiple delivery options, and offers credit card fraud protection, all through a single platform”.
However, FedEx Cross-Border service was shut down in April 2017.
”In the fast-moving world of global online shopping, change is inevitable. As of April 15, 2017, the International Shopper service was discontinued. We appreciate your business and hope you've enjoyed your purchases from around the world”.
Still, the data inherited from Bongo International LLC services from 2009-2012 era were publicly available - at least, until now.
On February 13th, after effortless attempts to get in touch with FedEx via FedEx Cross Border Merchant Customer Support line and emails, Kromtech connected with ZDNet reporter, Zack Whittaker, with whom we successfully worked on similar cases in the past, and on the next day bucket has been removed from public access completely. Shortly after, FedEx has provided ZDnet with the following comment:
“After a preliminary investigation, we can confirm that some archived Bongo International account information located on a server hosted by a third-party, public cloud provider is secure. The data was part of a service that was discontinued after our acquisition of Bongo. We have found no indication that any information has been misappropriated and will continue our investigation.”
Read Zachs take on this story at ZDnet.
Bob Diachenko, head of communications, Kromtech Security Center:
"Technically, anybody who used Bongo International services back in 2009-2012 is at risk of having his/her documents scanned and available online for so many years. Seems like bucket has been available for public access for many years in a row. Applications are dated within 2009-2012 range, and it is unknown whether FedEx was aware of that "heritage" when it bought Bongo International back in 2014"
During any M&A (mergers and acquisitions) transactions it is important that the company who is selling their assets notify their customers that the business is going to be sold and their private data will be transferred to new ownership. The purchasing company should give customers the option to opt out of their data being transferred and provide a data protection notice. This case highlights just how important it is extremely important to audit the digital assets when a company acquires another and to ensure that customer data is secured and properly stored before, during, and after the sale. During the integration or migration phase is usually the best time to identify any security and data privacy risks.
In October 2017 the Kromtech Security Center released a free scan tool that helps identify and secure publically accessible Amazon S3 Buckets within an organization's network. We have also published an in-depth guide explaining how to secure Amazon S3 buckets for better data security.
Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Center.
Do you have security tips or suggestions? Contact: firstname.lastname@example.org