FedEx customer information exposed in data breach
An unsecured FedEx server was breached, exposing thousands of customers' personal information, a prominent security research firm discovered earlier this month.
Package forwarding service Bongo International was acquired by FedEx in 2014 and now serves as a e-commerce service called FedEx Cross Border.
But an unsecured Amazon S3 server, according to the white hat research group Kromtech, was holding more than 100,000 scanned documents including passports, drivers licenses, and security IDs. The white hat group responsibly disclosed the breach.
In a statement a FedEx spokesperson said the server has since been secured, and the data wasn't "misappropriated." The full statement reads:
After a preliminary investigation, we can confirm that some archived Bongo International account information located on a server hosted by a third-party, public cloud provider is secure. The data was part of a service that was discontinued after our acquisition of Bongo. We have found no indication that any information has been misappropriated and will continue our investigation.
Kromtech was able to get in touch with FedEx through a reporter earlier this week and secure the compromised data. This likely means anyone whose information was housed in that server is safe.
Alex Heid, white hat hacker and chief research officer at SecurityScorecard, said in a call it's very likely none of the data was used, but it was sitting there for a long time. "Thankfully this group was working to report that type of stuff," unlike the Equifax breach last year where the information was used maliciously.
He said this type of information leak is "incredibly common" as "new big data technologies become easier to use," but companies don't necessarily know how to use and secure them, like this Amazon S3 server forgotten in an years-old acquisition.
He said FedEx shouldn't be judged for having the data open, but on how they react to the exposure. "It’s a matter of having a program in place when it happens," Heid said.
Topics Cybersecurity
Sasha is a news writer at Mashable's San Francisco office. She's an SF native who went to UC Davis and later received her master's from the UC Berkeley Graduate School of Journalism. She's been reporting out of her hometown over the years at Bay City News (news wire), SFGate (the San Francisco Chronicle website), and even made it out of California to write for the Chicago Tribune. She's been described as a bookworm and a gym rat.
