FedEx Customer Data Exposed on Unsecured S3 Server

Thousands of documents from US and international citizens were exposed on an Amazon S3 bucket configured for public access.

Data belonging to thousands of global FedEx customers was exposed on an unsecured Amazon Simple Storage Service (S3) server configured for public access, Kromtech security analysts discovered earlier this month.
The exposed bucket belonged to Bongo International LLC, a company created to help North American companies market to customers around the world. FedEx acquired Bongo in 2014. Two years later, it relaunched it as FedEx Cross-Border International, which shut down in 2017.
Although the organization was closed, data inherited from 2009-2012 remained available on the server, exposing personal identifiable information from citizens representing Canada, Japan, China, Australia, the EU, and other countries until the bucket was removed from public access this month. The server contained more than 119,000 scanned documents including passports, drivers licenses, and security IDs, in addition to scanned Applications for Delivery of Mail Through Agent forms with names, home addresses, phone numbers, and zip codes.
FedEx reports it has no evidence the data was compromised but is still investigating the matter. The company joins a growing list of organizations that have unintentionally compromised consumer data by failing to properly secure their Amazon S3 storage buckets -- a trend that continues as more businesses
move to the cloud
without taking proper security precautions.
We need to get our heads out of the clouds, because cloud services are only as secure as you make them, says Brian NeSmith, CEO and cofounder at Arctic Wolf Networks. Companies need to start applying the same rigor and discipline to their cloud infrastructure as they do to their on premises network.
On top of that, a recently discovered search engine makes it
easier
to look for data left on misconfigured S3 servers. The service, dubbed BuckHacker, lets people search by file name or bucket name, which may include the name of the business using the server.
Read more details on the FedEx leak
here
.

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the
conference
and
to register.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
FedEx Customer Data Exposed on Unsecured S3 Server