FedEx publicly exposed the identity and security documents of thousands of customers after leaving them on an un-password protected, unsecured server.
Researchers with Kromtech Security made the discovery, which after being reported to FedEx, the company quickly fixed on Tuesday. Kromtech Security found more than 119,000 scanned documents belonging to U.S. and international citizens, including driver’s licenses, passports, and security IDs, along with address information from accompanying scanned mailing forms.
The unsecured Amazon S3 storage server formerly belonged to startup Bongo International, which helped North American merchants with international purchases and deliveries. FedEx acquired Bongo in 2014 and rebranded it as FedEx Cross Border in 2016. It’s likely that, in the midst of Bongo’s acquisition and transition into a FedEx property, the legacy server was forgotten about; the information, according to Kromtech Security, has been available online for many years now.
“After a preliminary investigation, we can confirm that some archived Bongo International account information located on a server hosted by a third-party, public cloud provider is secure,” FedEx spokesperson Jim McCluskey told ZDNet. “The data was part of a service that was discontinued after our acquisition of Bongo. We have found no indication that any information has been misappropriated and will continue our investigation.”
The documents found on the unsecured server date from 2008 to 2015, according to ZDNet, which worked with Kromtech on reporting this issue. While many are now expired, the information could still have opened up these individuals to identity theft.
“This case highlights just how important it is extremely important to audit the digital assets when a company acquires another and to ensure that customer data is secured and properly stored before, during, and after the sale,” security researcher Bob Diachenko wrote.
Mistakes and oversights do happen, but at least FedEx reacted swiftly correct this error, and no harm seems to have come to those whose data was exposed.