FedEx's customer information leaks with a copy of photo ID



We found that FedEx bought in 2014 "Bongo International" transportation agency service kept customer's personal information accessible online by anyone online.

FedEx Customer Records Exposed
https://mackeepersecurity.com/post/fedex-customer-records-exposed

Mountain of sensitive FedEx customer data exposed, possibly for years | Ars Technica
https://arstechnica.com/information-technology/2018/02/fedex-customer-data-left-online-for-anyone-to-rifle-through/

Researchers at the Kromtech Security Center who conduct security surveys found that the scan data of documents uploaded online by FedEx users,Amazon S3We found that anyone can access it on the bucket of. It was data that was available to anyone for 119,000 people, the user's name, home address, telephone number was written, and a copy of the photo ID card was also attached. Researchers wrote that copies of identification cards were from users in various countries such as Mexico, Canada, EU, Saudi Arabia, Kuwait, Japan, Malaysia, China, Australia, and so on.

These data were originally collected by "Bongo International" which ships products shipped only in the United States to other countries. In 2014, Bongo International was acquired by FedEx and changed its name to "FedEx Cross-Border International", but FedEx subsequently terminated this service in the spring of 2016. The contents discovered this time indicate that user data is not properly handled from the beginning and FedEx has failed to discard data at the end of the service. Kromtech researchers believe that these data were open to the public since 2009.

The following documents were in an open state online.


Since shipment to overseas is done, a copy of a photo ID with a passport was also attached.


As of February 13, 2018 researchers tried to contact FedEx via customer support of FedEx Cross - Border Merchant, but we could not contact them. After that, when ZDNet reporter contacted FedEx, Amazon S3 bucket was withdrawn.

"As a result of preliminary investigation, we have confirmed that Bongo International's past account information is on a third party server.The provider of this public cloud is secure.These information is misused Although there are no signs that we are doing it, we will continue to investigate. "

in Security, Posted by darkhorse_log