FedEx has confirmed a security breach that exposed about 119,000 scanned documents containing the private information of customers, including passports and driver’s licenses, according to researchers.
The documents were discovered on a publicly available database Feb. 5 by Kromtech, a German security firm, and ultimately determined to belong to Bongo International, a shipping company acquired by FedEx in 2014 and rebranded as FedEx CrossBorder prior to shuttering last April, ZDNet first reported Thursday.
Kromtech notified FedEx, who in turn secured the data this Tuesday, Feb. 13, the report said.
“After a preliminary investigation, we can confirm that some archived Bongo International account information located on a server hosted by a third-party, public cloud provider is secure,” confirmed FedEx spokesperson Jim McCluskey. “The data was part of a service that was discontinued after our acquisition of Bongo. We have found no indication that any information has been misappropriated and will continue our investigation.”
Security researchers nonetheless warned the trove of sensitive personal data was likely publicly available for several years prior to being secured this week, potentially putting thousands of individuals around the world at risk.
“Technically, anybody who used Bongo International services back in 2009-2012 is at risk of having his/her documents scanned and available online for so many years,” said Bob Diachenko, Kromtech’s chief communications officer. “Applications are dated within 2009-2012 range, and it is unknown whether FedEx was aware of that ’heritage’ when it bought Bongo International back in 2014.”
Specifically researchers said the customer records were hosted on an Amazon S3 storage server that could be accessed online without a password. Those records included customers’ passports and driver’s licenses, as well as U.S. Postal Service forms, national ID cards, work ID cards, voting cards, utility bills, resumes, vehicle registration forms, medical insurance cards, firearms licenses and U.S. military ID cards, among other data, including an ID card belonging to a senior official at the Netherlands’ Ministry of Defense, ZDNet reported.
“Citizens from all over the world left their scanned IDs — Mexico, Canada, E.U. countries, Saudi Arabia, Kuwait, Japan, Malaysia, China, Australia — to name a few,” Mr. Diachenko said.
The breach marks hardly the only cybersecurity incident suffered by FedEx in recent months. Last year, the Memphis-based international courier company was among the corporate victims plagued by NotPetya, an international cyberattack waged last June that the White House formally blamed Thursday on the Russian government. FedEx explained previously that NotPetya infected computers used by TNT Express, its Dutch logistics unit, causing about $300 million to the company’s profit that quarter.
• Andrew Blake can be reached at ablake@washingtontimes.com.
Please read our comment policy before commenting.