ISBuzzFeed, February 19, 2018, comments by Willy Leichter;
Personal information of thousands of FedEx customers worldwide was exposed on the web due to an Amazon Web Services (AWS) cloud storage server, which was not secured with a password. Security researchers from Kromtech Security found the open AWS bucket which contained 119,000 scanned documents, including passports, drivers’ licenses and Applications for Delivery of Mail Through Agent forms, which contain names, home addresses, phone numbers and ZIP codes. IT security experts commented below.
Willy Leichter, Vice President of Marketing at Virsec Systems says, “This story keeps repeating as often as Groundhog Day. Many data breaches don’t involve sophisticated hackers – just a careless IT person turning on a cloud server, ignoring the security settings, and copying files that should be under strict lock and key. It’s naïve to think that these accidents won’t get discovered. Hackers are continually scanning for new servers and probing for laxed security. If you turn on a random AWS server, that IP address will be scanned by hackers within minutes.”
The trail of how this came to pass didn’t go in a straight line. The exposed server originally belonged to an organization called Bongo, which FedEx purchased in 2014 and renamed to FedEx Cross-Border International. The 119,000 scanned documents on the server that were exposed dated back to between 2009-2012 and it’s quite possible FedEx wasn’t even aware of the server’s existence. But now FedEx is responsible for the breach and the resulting impact. Essentially an accidental exposure, similar scenarios often leave organizations with a data breach on their hands.
Another example of accidental compromise of AWS servers happened last Fall. Back in September, we posted on news that 7 percent of Amazon S2 servers had been accidentally exposed due to misconfiguration. It’s not only easy to do, it’s common, leading to many companies to deal with data exposures. (Read full 7% of All Amazon S3 Servers Exposed article.)
Read additional industry comments in full FedEx Data Breach article.