Passports, driver’s licenses, and other sensitive documents for thousands of FedEx customers were left online, possibly for years, mistakenly leaving information available to identity thieves and fraudsters. another abomination, researchers said Thursday.
In all, Kromtech Security Company said, researchers found 119,000 scanned documents stored in a publicly available Amazon S3 bucket. The photo ID verification is accompanied by completed US Postal Service forms that include the names, home addresses, and phone numbers of the person requesting to deliver mail through an authorized agent.
“Citizens from all over the world submitted their verified IDs—Mexico, Canada, EU countries, Saudi Arabia, Kuwait, Japan, Malaysia, China, Australia—to name a few,” Kromtech researchers wrote.
The data was originally compiled by Bongo International, a company that helps North American retailers and brands sell online to consumers in other countries, the researchers said. FedEx acquired Bongo International in 2014 and eventually changed its name to FedEx Cross-Border International. FedEx shut down the service last April. The discovery of customer IDs and other personal information suggests that not only was the information not properly secured to begin with, but FedEx agents failed to clean the data once the service was stopped. Kromtech says the information may have been available since 2009.
Thursday’s post said Kromtech investigators made “attempts to get in touch with FedEx via the FedEx Cross-Border Merchant Customer Support line and emails.” The investigators said they were unsuccessful until Tuesday, when ZDNet reporter Zack Whittaker began contacting FedEx employees. The unsecured Amazon bucket was taken down on Wednesday.
In a statement, FedEx officials wrote: “After a preliminary investigation, we can confirm that some Bongo International account information stored on a server hosted by a third-party, public cloud provider has security. The data is part of a service that is discontinued after we acquire Bongo. We have found no indication that any information has been misused and will continue our investigation.
Therefore, absence of evidence is not evidence of absence. People who use Bongo International or FedEx Cross-Border International should be alerted. The incident is a good reason why people should avoid changing their personal information when necessary.