Mountain of sensitive FedEx customer data exposed, possibly for years

Passports, driver licenses, and other sensitive documentation for thousands of FedEx customers were left online, possibly for years, in a blunder that left the information available to identity thieves and other malicious actors, researchers said Thursday.

In all, Kromtech Security Center said, researchers found 119,000 scanned documents stored in a publicly available Amazon S3 bucket. The photo ID scans were accompanied by completed US Postal Service forms that included names, home addresses, and phone numbers of people who requested to have mail delivered by an authorized agent.

"Citizens from all over the world left their scanned IDs—Mexico, Canada, EU countries, Saudi Arabia, Kuwait, Japan, Malaysia, China, Australia—to name a few," Kromtech researchers wrote.

The data initially was gathered by Bongo International, a company that helped North American retailers and brands sell online to consumers in other countries, the researchers said. FedEx acquired Bongo International in 2014 and eventually changed its name to FedEx Cross-Border International. FedEx shut down the service last April. The discovery of the customer IDs and other personal information suggests that not only was the information never properly secured to begin with, but FedEx officials failed to purge the data once the service was discontinued. Kromtech said the information may have been available since 2009.

Thursday's post said Kromtech researchers made "attempts to get in touch with FedEx via FedEx Cross-Border Merchant Customer Support line and emails." The researchers said they didn't succeed until Tuesday, when ZDNet reporter Zack Whittaker began contacting FedEx officials. The unsecured Amazon bucket was taken down on Wednesday.

In a statement, FedEx officials wrote: "After a preliminary investigation, we can confirm that some archived Bongo International account information located on a server hosted by a third-party, public cloud provider is secure. The data was part of a service that was discontinued after our acquisition of Bongo. We have found no indication that any information has been misappropriated and will continue our investigation."

Of course, the absence of evidence isn't evidence of absence. People who used Bongo International or FedEx Cross-Border International should be on alert. The incident is a good reason why people should avoid turning over personal information when practical.