An unsecured Amazon Web Services bucket holding personal information and scans of IDs of some 119,000 US and international citizens has been found sitting online by Kromtech security researchers earlier this month.
The stored data had been stockpiled by Bongo International, a company that specialized in helping North American retailers and brands sell online to consumers in other countries. Bongo was acquired by FedEx in 2014, relaunched as FedEx Cross-Border International, and ultimately shuttered in April 2017.
The contents of the unsecured bucket
The AWS bucket, access to which was not secured by a password, contained unencrypted information and ID scans of customers from the US, Mexico, Canada, various EU countries, Saudi Arabia, Kuwait, Japan, Malaysia, China, Australia, and so on.
ZDNet trawled through the documents and found scans of drivers’ licenses, national ID cards, work ID cards, voting cards, utility bills, vehicle registration forms, medical insurance cards, firearms licences, US military identification cards, and credit cards that customers used to verify their identity with the FedEx division.
To complete the picture about each customer there were US Postal Service forms, holding information such as name, home address, phone number, zip code and handwritten signatures.
“Technically, anybody who used Bongo International services back in 2009-2012 is at risk of having his/her documents scanned and available online for so many years. Seems like [the] bucket has been available for public access for many years in a row. Applications are dated within 2009-2012 range, and it is unknown whether FedEx was aware of that ‘heritage’ when it bought Bongo International back in 2014,” said Bob Diachenko, head of communications, Kromtech Security Center.
The origin of the problem
The researchers tried to inform FedEx about the existence of the unsecured data trove for over a week but had trouble reaching anyone at the company that would look into the matter.
It was only after they went public with the information and ZDNet contacted the company for a comment that FedEx reacted and removed the bucket from public access.
“The data was part of a service that was discontinued after our acquisition of Bongo,” a company spokesperson said and added that they “have found no indication that any information has been misappropriated” and that they will continue their investigation.
“The FedEx incident raises questions around security practices following M&A – and what steps companies take to ensure the right controls are in place to protect sensitive data following a business change like FedEx’s acquisition of Bongo International. It’s critical that companies have a systematic process for reviewing access permissions and security rules, auditing who has access to what,” Obsidian Security CTO Ben Johnson commented the discovery.
“The incident, echoing others we’ve seen time and time again, also raises the larger issue that many organizations have not yet fully grasped the idea that most public cloud providers are not managing their data – but are just providing a platform or infrastructure, so the management protection of data is left up to the companies themselves. It’s critical that enterprises understand the risks of the cloud – that availability and uptime also mean that their data can be easily accessed unless they have the right controls in place.”
Alex Heid, white hat hacker and Chief Research Officer at SecurityScorecard, says that these leaking databases from the Amazon S3 network are the result of the implementation of new technologies without a full understanding of the features and access controls.
“The problem is a percentage of people will always skip over the access control restrictions part of the documentation, or may even believe to have implemented it correctly. Also, there has been a release of Amazon S3 enumeration tools, which allow attackers, researchers, and companies the ability to discover these exposed instances,” he noted.