A server containing personal information from more than 119,000 FedEx customers may have been left unsecured for several years, security researchers have found.
A new report has revealed an Amazon S3 bucket containing thousands of scanned documents from US and international citizens was publicly accessible until this week.
The global package delivery company said on Thursday it has secured some of the customer identification records that were visible earlier this month on the unsecured server.
So far, FedEx says it has found no evidence that private data was ‘misappropriated.’
A server containing personal information from more than 119,000 FedEx customers may have been left unsecured for several years, security researchers have found. File photo
The server stored more than 119,000 scanned documents from U.S. and international citizens, such as passports, driving licenses, and security identification, according to a report from security research firm Kromtech.
Kromtech said its researchers found the unsecured server on Feb. 5 and it was closed to public access on Wednesday.
The data was stored on a Amazon S3 storage server and collected by a company FedEx acquired in 2014, Bongo International, which calculated international shipping prices and provided other services.
FedEx later discontinued the service.
But, according to the report, the data FedEx inherited from the 2009-2012 period were publicly available.
‘After a preliminary investigation, we can confirm that some archived Bongo International account information located on a server hosted by a third-party, public cloud provider is secure,’ FedEx spokesman Jim McCluskey said in a statement.
A new report has revealed an Amazon S3 bucket containing thousands of scanned documents from US and international citizens was publicly accessible until this week. An example is shown above, with personal information redacted
WAS YOUR DATA AFFECTED BY FEDEX’S UNSECURED SERVER?
Researchers found customers’ data was left unsecured, and was publicly available, as seen above.
Security researchers from Kromtech discovered on Feb 5 that an Amazon S3 bucket containing thousands of scanned documents from US and international citizens was ‘set for public access.’
The data was collected by a company FedEx acquired in 2014, Bongo International, which calculated international shipping prices and provided other services.
FedEx later discontinued the service.
On the server, the researchers found 119,000 scanned documents, such as passports, driving licenses, and security identification.
But according to FedEx, there is no evidence so far that private data was ‘misappropriated.’
The firm says it has secured the server as of Thursday.
‘We have found no indication that any information has been misappropriated and will continue our investigation,’ McCluskey said.
McCluskey declined to elaborate on what portion of the records were secure, or whether FedEx had notified authorities.
The incident affected a tiny portion of FedEx customers globally.
The exposure appears far less disruptive than a cyber attack last year on Fedex’s Dutch TNT Express unit, which slashed $300 million from its quarterly profit.
The Memphis, Tennessee-based company joined a string of companies that reported big drops in earnings because of the NotPetya virus, which hit on June 29, crippling Ukraine businesses before spreading worldwide to shut down shipping ports, factories and corporate offices.