Security

Leaked FedEx customer data was stored on Amazon S3 server with no password

The incident-one of many related to S3 repositories-put thousands of customer records at risk.

Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • An unsecured Amazon S3 storage server exposed thousands of FedEx customer records, including civilian and military ID cards, resumes, bills, and more.
  • A leak of more than 119,000 files from an Amazon server at FedEx highlights the need for more stringent security hygiene in cloud storage.

Critical FedEx customer data was left exposed after an unsecured Amazon Web Services (AWS) S3 storage server was found without even a simple password protecting it.

The discovery was first noted by Kromtech security researchers, before being jointly published by both Kromtech and our sister site ZDNet. The leak is the latest in a string of data breaches coming out of Amazon S3 repositories, which have also been experienced at Dow Jones, Verizon, and GOP analytics firm Deep Root Analytics.

In all three of the above-mentioned leaks, poor configuration and incorrect settings were to blame for the exposed data. The FedEx incident is further evidence of shortcuts companies may be taking in their race to the cloud, and firms looking to embrace cloud repositories like S3 must be aware of the security options available, and their limitations, before proceeding.

SEE: Network security policy template (Tech Pro Research)

The leaked FedEx file came from a server associated with Bongo, a shipping calculation company purchased by FedEx back in 2014. According to the Kromtech report, more than 119,000 files were exposed.

Since Bongo helped customers calculate shipping costs and convert currencies, a special US Postal Service form was required for customers wishing to use the service, along with identification. These are what was stored on the exposed server, ZDNet reported.

Records belonging to people in the US, Asia, Australia, Europe, and the Middle East were exposed. According to ZDNet, drivers' licenses, work ID card, bills, voting cards, resumers, insurance cards, credit cards, and military IDs were among the types of records that were exposed.

"One identity card, when we checked, revealed the details of a senior official at the Netherlands' Ministry of Defense," ZDNet's Zack Whittaker wrote.

The leaked data ranged from 2008 to 2015. Shortly after ZDNet reached out to FedEx, the server was secured. FedEx spokesperson Jim McCluskey confirmed the breach to ZDNet and said the company has "found no indication that any information has been misappropriated," and will continue to investigate.

Also see

fedex.jpg
Image: iStockphoto/vicm

About Conner Forrest

Conner Forrest is a Senior Editor for TechRepublic. He covers enterprise technology and is interested in the convergence of tech and culture.

Editor's Picks

Free Newsletters, In your Inbox