Unsecured server left FedEx customer documents for 100K+ accounts exposed

Written by |
Advertisement

Here’s the latest in the ongoing saga of how corporate America fails to protect consumer information!

FedEx is the latest major company to announce that an unsecured server it failed to password protect exposed the passports, driver’s licenses and other security identification and more of 119,000 customers.

RELATED: Amazon warning — Beware of deliveries you didn’t order

FedEx security blunder exposed broad range of customer info

Securtity researchers at MacKeeper Kromtech discovered the vulnerability, which exposed the data of both U.S. and international citizens.

The unsecured server in question was associated with Bongo International, a company acquired by FedEx in 2014. After acquisition, Bongo was folded into the FedEx Cross-Border International division and subsequently shut down in April 2017.

When it was operating, Bongo helped facilitate the sale of online goods from North American retailers and brands to international consumers.

The Kromtech researchers found the info that was exposed dated back to a three-year period between 2009 and 2012, prior to when Bongo became part of FedEx.

That info, of course, became FedEx’s responsibility to secure when the company acquired Bongo.

The good news here is that FedEx has investigated the security snafu and determined that none of the breached info was “misappropriated.” The company has also since put password protection on the exposed server.

After a preliminary investigation, we can confirm that some archived Bongo International account information located on a server hosted by a third-party, public cloud provider is secure. The data was part of a service that was discontinued after our acquisition of Bongo.  We have found no indication that any information has been misappropriated and will continue our investigation.

FedEx statement

Advertisement

However, it wasn’t just passport and IDs like this one below that were exposed on the old Bongo server.

passport

The IDS also were accompanied by scanned file of the Postal Service’s “Applications for Delivery of Mail Through Agent” — a necessary piece of paperwork for Bongo’s customers to file out.

Those applications contained names, home addresses, phone numbers and zip codes, according to researchers:

fed ex info

Meanwhile, a separate investigation by ZDNet found even more info that was left exposed — including “resumes, vehicle registration forms, medical insurance cards, firearms licences, a few U.S. military identification cards, and even a handful of credit cards that customers used to verify their identity with the FedEx division.”

Unfortunately, this isn’t FedEx’s first brush with a cybersecurity threat.

The logistics giant was affected by a worldwide cyberattack in May 2017 and reported “experiencing interference with some of our Windows-based systems caused by malware.”

By June of that year, the company’s TNT division was briefly thrust back into the Stone Age when it had to do transactions by hand because of lingering damage from that unprecedented global hack.

TNT, which is FedEx’s international courier delivery services subsidiary, said a number of operations that were usually automated had to be done manually until the division’s IT issues could be sorted out.

Advertisement

RELATED: 10 things you must do if your identity is stolen

Advertisement