Thousands of FedEx customers were exposed after the company left scanned passports, drivers licenses, and other documentation on a publicly accessible Amazon S3 server.
The scanned IDs originated from countries all over the world, including the United States, Mexico, Canada, Australia, Saudi Arabia, Japan, China, and several European countries. The IDs were attached to forms that included several pieces of personal information, including names, home addresses, phone numbers, and zip codes.
The server, discovered by researchers at the Kromtech Security Center, was secured as of Tuesday.
According to Kromtech, the server belonged to Bongo International LLC, a company that aided customers in performing shipping calculations and currency conversations, among other services. Bongo was purchased by FedEx in 2014 and renamed FedEx Cross-Border International a little over a year later. The service was discontinued in April 2017.
“After a preliminary investigation, we can confirm that some archived Bongo International account information located on a server hosted by a third-party, public cloud provider is secure,” said FedEx in a statement to Gizmodo. “The data was part of a service that was discontinued after our acquisition of Bongo.”
FedEx added there’s “no indication” of the data being “misappropriated.” Its investigation into the matter is ongoing.
According to Kromtech, more than 119,000 scanned documents were discovered on the server. As the documents were dated within the 2009-2012 range, its unclear if FedEx was aware of the server’s existence when it purchased Bongo in 2014, the company said.
Bob Diachenko, Kromtech’s head of communications, said that essentially anyone who might’ve used Bongo’s services between 2009 and 2012 may have had their identity compromised. It’s possible the data has been exposed online for several years, he said.
“This case highlights just how important it is to audit digital assets when a company acquires another and to ensure that customer data is secured and properly stored before, during, and after the sale,” Kromtech said in a statement. “During the integration or migration phase is usually the best time to identify any security and data privacy risks.”