Following reports that thousands of customer identification records were left open to public access, FedEx said those records have now been secured and there is “no indication that any information has been misappropriated.”
Parcel and express delivery carrier FedEx Corp. seems to have confirmed recent reports that thousands of customer identification records were mistakenly left open to the public on an Amazon web server.
The reports first began to surface early last week after researchers at the Kromtech Security Center discovered an Amazon S3 bucket set for public access that contained more than 119,000 thousand scanned documents, including passports, drivers licenses and security IDs, belonging to U.S. and international citizens. Those IDs were accompanied by scanned “Applications for Delivery of Mail Through Agent” forms (PS Form 1583), which also contained the names, home addresses, phone numbers and zip codes of those customers.
In its analysis, Kromtech found that data belonged to Bongo International LLC, an international e-commerce specialist FedEx purchased for $42 million in December 2014 and later rebranded as FedEx Cross-Border International.
The FedEx Cross-Border service was shut down in April 2017, but the data housed on the former Bongo International web server from 2009-2012 was still available to the public until last week.
“Technically, anybody who used Bongo International services back in 2009-2012 is at risk of having his/her documents scanned and available online for so many years,” said Bob Diachenko, head of communications at Kromtech Security Center. “Seems like [the] bucket has been available for public access for many years in a row. Applications are dated within 2009-2012 range, and it is unknown whether FedEx was aware of that ‘heritage’ when it bought Bongo International back in 2014.”
FedEx said in a statement late last week that the information has since been secured and does not appear to have been accessed by anyone other than the Kromtech researchers.
“After a preliminary investigation, we can confirm that some archived Bongo International account information located on a server hosted by a third-party, public cloud provider is secure,” the company said. “The data was part of a service that was discontinued after our acquisition of Bongo. We have found no indication that any information has been misappropriated and will continue our investigation.”
Kromtech said the potential leaking of personal customer information should serve as a cautionary tale for companies engaging in mergers and acquisitions.
“During any M&A (mergers and acquisitions) transactions it is important that the company who is selling their assets notify their customers that the business is going to be sold and their private data will be transferred to new ownership,” the company said. “The purchasing company should give customers the option to opt out of their data being transferred and provide a data protection notice.
“This case highlights just how important it is to audit the digital assets when a company acquires another and to ensure that customer data is secured and properly stored before, during, and after the sale,” it added. “During the integration or migration phase is usually the best time to identify any security and data privacy risks.”