FedEx customers’ personally identifiable information found unsecured on publicly accessible server

The sensitive information of thousands of FedEx customers has been found on a publicly accessible Amazon S3 server. FedEx failed to secure scanned passports, drivers licenses, and other documentation from all over the world.

According to Kromtech, which discovered the server, more than 119,000 scanned documents were found, dating from 2009 to 2012. The personally identifiable information (PII) was attached to forms that included several additional pieces of information, including names, home addresses, phone numbers, and zip codes.

Server belonged to Bongo International, a company FedEx acquired then disbanded

Kromtech said the server belonged to Bongo International, LLC (Bongo), a company that helped customers with shipping calculations and currency conversations. FedEx acquired Bongo in 2014 and renamed it FedEx Cross-Border International before closing it in 2017.

The data was part of a service that was discontinued after FedEx took ownership of Bongo. Following a preliminary investigation, FedEx confirmed that the archived Bongo account hosted on a public Cloud provider is now secure. The company claims that there is no evidence of the data being “misappropriated”, but it will continue investigating.

It is unknown if FedEx was aware of the server’s existence when it purchased Bongo. According to Kromtech, the data could have been exposed for several years. Anyone who used Bongo’s services between 2009 and 2012 could have had their PII information compromised.

Keep your information assets clearly inventoried to protect personal data

This incident is a reminder of the importance of information asset audits – particularly when one company acquires another. Customer data must be secured and properly stored in each step of the transaction. According to Kromtech, “During the integration or migration phase is usually the best time to identify any security and data privacy risks.”

Information audits are an important part of achieving ISO 27001 certification. ISO 27001 is the international standard for best practice in information security, risk mitigation, and data breach management. ISO 27001 certification demonstrates that an organization has conducted due diligence in protecting personal, sensitive, and private data.

IT Governance offers an accredited, practitioner-led course to help you manage an ISO 27001 information security management system (ISMS) implementation program. Learn the foundations of data security regulations compliance, information security risk mitigation, and data breach event response management. .