FedEx has reported that numerous scanned passports, drivers’ licenses, and other documentation about its customers were left unsecured on an Amazon S3 server that was publicly accessible. The exposed photo ID scans originated from countries all over the world, including the United States, Mexico, Canada, Australia, Saudi Arabia, Japan, and China. Nearly 120,000 consumers were left exposed by the issue.
The server issue was discovered by researchers at the Kromtech Security Center. The server initially belonged to Bongo International LLC, a company purchased by FedEx in 2014. Bongo International helped North American retailers and brands sell online to consumers in other countries. It mainly focused on performing shipping calculations and currency conversions.
The purchased company was later renamed FedEx Cross-Border International. The service was discontinued in April 2017. Kromtech said in a statement, “This case highlights just how important it is to audit digital assets when a company acquires another and to ensure that customer data is secured and properly stored before, during, and after the sale.”
More than 119,000 scanned documents dated between 2009 and 2012 were discovered on the server. The forms that the scanned photo IDs were attached to included several pieces of personal information about the customers, including names, home addresses, phone numbers, and zip codes. It is unclear if FedEx was aware of the server’s existence when it purchased Bongo.
FedEx said in a statement that the server has been secured as of last Tuesday. The statement reads, “After a preliminary investigation, we can confirm that some archived Bongo International account information located on a server hosted by a third-party, public cloud provider is secure.” The company also says that there’s “no indication” of the data being “misappropriated.” An investigation into the matter is ongoing.
People who used Bongo International or FedEx Cross-Border International should be on alert. The blunder left the information available to identity thieves and other malicious actors. It is possible the data has been accessible for several years. Kromtech said the information may have been available since 2009.