FedEx Customer Data Left Exposed on Amazon S3 Bucket

fedex leak S3 bucket personal data

An Amazon S3 storage bucket server belonging to international shipping giant FedEx was left configured for public access for years, potentially exposing the identity data of thousands of people.

  

The server belonged to FedEx Cross-Border International, a division that FedEx shuttered in 2017. The exposed data included the passports, driving licenses, and security IDs for 119,000 people across the U.S. and the world. Further, scanned copies of “Applications for Delivery of Mail Through Agent” also exposed names, home addresses, and phone numbers.

Kromtech security analysts discovered the open server earlier this month, which has since been removed from public access. According to researchers, Bongo International originally compiled the data on the server before it was bought by the FedEx Corp. in 2014. In a statement, FedEx said: “We have found no indication that any information has been misappropriated and will continue our investigation.”

However, a contradictory statement came from Bob Diachenko, head of communications for Kromtech: “Seems like [the] bucket has been available for public access for many years in a row. Applications are dated within 2009-2012 range, and it is unknown whether FedEx was aware of that ‘heritage’ when it bought Bongo International back in 2014.”

This aligns with similar doubts raised by Upguard researcher Chris Vickery, who discovered the Octoly leaky S3 bucket with the personal data of 12,000 social media influencers: it is unlikely whether FedEx would know if anyone had accessed the data at all.

The revelation speaks to a economy-wide ignorance—or neglect—of digital hygiene practices and proper customer data care. Enterprises need to be much more aware of the data they collect and manage and how they are storing that data. The news of FedEx’s leak should prompt enterprises to take a survey of their data assets and work to immediate close any leaks they discover.   

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner