Over 119,000 customer records including scanned passports and drivers licenses have reportedly been leaked online through an unsecured Amazon Web Services S3 storage bucket operated by FedEx.
Bongo International Customer Data Reportedly Leaked
The data cache is linked to Bongo International, an e-commerce delivery service purchased by FedEx in 2014. Documents exposed in the leak are believed to be from a period of time between 2009 and 2012, according to macOS security software provider Kromtech who discovered the leak.
“Technically, anybody who used Bongo International services back in 2009-2012 is at risk of having his/her documents scanned and available online for so many years,” said Bob Diachenko, head of communications for Kromtech Security Center.
Kromtech believes that the data store has been publicly available for several years. The Bongo International services linked to the data was discontinued in 2016. FedEx rebranded Bongo International to FedEx Crossborder in the same year.
Customers reported to be affected by this leak include individuals and businesses located in Mexico, Canada, Saudi Arabia, Kuwait, Japan, Malaysia, China, and Australia.
There are no indications from either Kromtech or FedEx that the issue is related to a flaw in Amazon’s security, but in the way the storage bucked was configured.
After news spread about the leak, FedEx issued a statement:
“After a preliminary investigation, we can confirm that some archived Bongo International account information located on a server hosted by a third-party, public cloud provider is secure. The data was part of a service that was discontinued after our acquisition of Bongo. We have found no indication that any information has been misappropriated and will continue our investigation.”
How Easy is it to Find Unsecured Data Stored on AWS?
In the wake of this report, a group of anonymous hackers has created a new service that allows anyone to search for unsecured data stored on AWS servers.
Dubbed Buckhacker, the search engine was apparently created to raise awareness of the importance of securing data in the cloud.
“The purpose of the project is to increase the awareness on bucket security, too many companies was [sic] hit for having wrong permissions on buckets in the last years,” one of the anonymous developers of the service, called BuckHacker, told Motherboard in an email.
Security is a constant concern for businesses regardless of where their data is stored. This latest discovery, as well as tools like Buckhacker, serve to shed light on the importance of properly securing data in the cloud.