FedEx has exposed private information belonging to thousands of its customers after a legacy server was left open without a password.
The discovery was made by security researchers at the Kromtech Security Center, which posted details of the exposure. The data, hosted on a password-less Amazon S3 storage server, was secured Tuesday after efforts were made to contact FedEx.
The server belonged to Bongo International, a company specializing in helping US retailers sell products online to consumers around the world by calculating shipping and duty calculations and currency conversions, among other things. Bongo was bought by shipping giant FedEx in 2014 and later rebranded as FedEx CrossBorder. The service was shut down a year later. Anyone could sign up to the service by filling out a US Postal Service form that regulated how a person's mail can be received and handled, such as by customers who own a PO Box or a private mailbox. The form has to be notarized and filed along with a form of identification, such as a passport or driver's license.
It's those unencrypted private customer records that were exposed on the server. The server contained more than 112,000 files, a mix of the completed US Postal Service forms used to authorize the handling of mail, along with identification. Many of the records we saw were of US nationals, but a portion of the data contained identification records from dozens of other countries, including Asia, Australia, Europe, and the Middle East.
Among the exposed files, experts confirmed drivers' licenses, national ID cards, and work ID cards, voting cards, and utility bills. We also found resumes, vehicle registration forms, medical insurance cards, firearms licences, a few US military identification cards, and even a handful of credit cards that customers used to verify their identity with the FedEx division.
One identity card, when we checked, revealed the details of a senior official at the Netherlands' Ministry of Defense. The postal service forms meanwhile contain names, home addresses, phone numbers, and handwritten signatures. Despite the division's shutdown, documents on the server date up until September 2015, and date back to 2008. Many of the identification cards have since expired, but many thousands of recently uploaded documents are still valid, and put customers at risk of identity theft.
We reached out to several individuals whose data was exposed by the password-less server, who confirmed their details and that they were either FedEx or Bongo customers. The server was secured within a few hours of contacting FedEx. FedEx spokesperson Jim McCluskey confirmed the breach in an email sent prior to publication:
"After a preliminary investigation, we can confirm that some archived Bongo International account information located on a server hosted by a third-party, public cloud provider is secure," he said. "The data was part of a service that was discontinued after our acquisition of Bongo. We have found no indication that any information has been misappropriated and will continue our investigation."
It's not known if the company will notify the authorities of the exposure.