Fedex acquired a company called Bongo International in 2014; Bongo specialized in helping North American companies sell overseas and after the acquisition, Fedex renamed the company FedEx Cross-Border International.
Bongo and/or Fedex stored 119,000 of its customers scanned pieces of ID on an Amazon Web Services bucket that had no password or encryption; these included passport scans, drivers licenses and other docs, each accompanied by customs forms stating the customer's full name, home addresses and phone numbers.
Fedex shut down the division last April, but even then it did not audit its data-handling practices and shut down the archive or at least add a password to it (it's down now).
Fedex says this is OK because if someone stole this data, they did so without leaving a trail that Fedex can find. Kromtech, who made the discovery, says they think the data may have been available since 2009.
Thursday's post said Kromtech researchers made "attempts to get in touch with FedEx via FedEx Cross-Border Merchant Customer Support line and emails." The researchers said they didn't succeed until Tuesday, when ZDNet reporter Zack Whittaker began contacting FedEx officials. The unsecured Amazon bucket was taken down on Wednesday.
In a statement, FedEx officials wrote: "After a preliminary investigation, we can confirm that some archived Bongo International account information located on a server hosted by a third-party, public cloud provider is secure. The data was part of a service that was discontinued after our acquisition of Bongo. We have found no indication that any information has been misappropriated and will continue our investigation."
FedEx Customer Records Exposed [Bob Diachenko/Kromtech]
Mountain of sensitive FedEx customer data exposed, possibly for years [Dan Goodin/Ars Technica]
fedex,amazon,aws,breaches,pii,reckless endangerment,identity theft,business,kromtech,bongo bongo-bungle