Kromtech security researchers have disclosed that shipping giant FedEx left personal data for more than 119,000 customers sitting in an unsecured Amazon S3 bucket.
The data was discovered on 5th February but it took FedEx until 14th February to acknowledge the leak and remove the data.
The details of the leak were revealed in a blog from Kromtech researcher Bob Diachenko. In it he said: “Among other stuff, it contained more than 119 thousands of scanned documents of US and international citizens, such as passports, driving licenses, security IDs etc. IDs were accompanied by scanned “Applications for Delivery of Mail Through Agent” forms (PS Form 1583) – which also contained names, home addresses, phone numbers and zip codes.”
Where did the data come from?
The data came from the acquisition of Bongo International that FedEx made back in 2014. It later renamed and then shutdown the business unit in April 2017. What is not clear is how long the data has been exposed. Was it originally exposed by Bongo before the acquisition? Did it become orphaned data after the company was shutdown? Either way, there is evidence that the data has been exposed for some time.
Diachenko said: “Technically, anybody who used Bongo International services back in 2009-2012 is at risk of having his/her documents scanned and available online for so many years. Seems like bucket has been available for public access for many years in a row. Applications are dated within 2009-2012 range, and it is unknown whether FedEx was aware of that “heritage” when it bought Bongo International back in 2014″
In response to Diachenko disclosing the breach, FedEx issued its own statement. It said: “After a preliminary investigation, we can confirm that some archived Bongo International account information located on a server hosted by a third-party, public cloud provider is secure. The data was part of a service that was discontinued after our acquisition of Bongo. We have found no indication that any information has been misappropriated and will continue our investigation.“
The latter part of the FedEx statement is strange. If the data has been publicly available since as far back as 2009, it is unlikely to have gone unnoticed by data harvesters. Amazon S3 buckets continue to be a data harvesters best friend as companies fail to secure data and leaving it open to detection and theft.
What does this mean?
Once again this story exposes how hard it is for many organisations to track where user data is stored. The FedEx IT security team should have visibility of all data assets as they are acquired. In this case it appears someone not only failed to do that but also failed to check what happened with data when the business unit was later closed. Given the type of data involved, FedEx can expect some hard questions from regulators as to why its policies fail.
Of more concern to regulators will be the slow response of FedEx once it was informed of the data breach. GDPR comes into force soon and sets strict timing for informing regulators of any data breach. The response time for this breach exceeds that set out in the forthcoming legislation. With a significant amount of that data coming from European customers, FedEx will need to explain why it was so slow to act.
There are questions that need to be answered here. According to Tony Pepper, CEO of data security company Egress Software Technologies Inc: “What’s most concerning about this breach is the likelihood that encryption wasn’t applied to that server when it was in use and then, adding insult to injury, it wasn’t retired properly and the data erased. This shows a lack of best practice and human error that, combined, put highly sensitive data at risk. What’s more, there’s no knowing how many similar scenarios are awaiting discovery.“