FedEx goof exposes 119,000 passports, IDs and more

A huge FedEx security goof exposed more than 119,000 scanned documents, including passports and driving licenses of customers, the shipping company has admitted. Security researchers identified a server on which the scans – which had been collected as part of a discontinued service that assisted customers in setting up shipments – had been left unsecured and open to public access.

The cache was identified by researchers at Kromtech security, who say they "stumbled upon" an Amazon S3 bucket of the files. They concluded that the documentation had been collected by Bongo International LLC, which specialized in assisting retailers and others in to prepare shipments for international buyers. It was acquired by FedEx in 2014, and then relaunched two years later as FedEx Cross-Border International.

Under that name, it offered to make the international shipping process more streamlined. That included accepting over 80 different currencies for payment, across 15 different payment options, and promising credit card fraud protection for the transactions. FedEx went on to shut the service down in April of last year.

"Technically, anybody who used Bongo International services back in 2009-2012 is at risk of having his/her documents scanned and available online for so many years," Kromtech's Bob Diachenko said of the firm's discovery. "Seems like bucket has been available for public access for many years in a row. Applications are dated within 2009-2012 range, and it is unknown whether FedEx was aware of that "heritage" when it bought Bongo International back in 2014."

For its part, FedEx says that it is investigating the security lapse. Documents held in the cache included scans of IDs ranging from passports and driving licenses, national identification cards, and more. In addition to US customers, it included data from people in the EU, Canada, Mexico, Japan, China, and more. According to Kromtech, the server was identified on February 5, with access locked down on February 14.

"After a preliminary investigation, we can confirm that some archived Bongo International account information located on a server hosted by a third-party, public cloud provider is secure," Jim McCluskey, FedEx spokesman, said in a statement. However, he also insisted that there was no evidence that the data, though exposed, had been compromised. "We have found no indication that any information has been misappropriated and will continue our investigation," the spokesman said.

FedEx – and other existing shipping companies, like UPS – face unexpected pressure from Amazon, according to recent reports. The online shopping behemoth, which has come to comprise an increasingly large proportion of the courier firms' business, is said to be developing its own, in-house shipping service.