Thousands of FedEx customer records exposed by unsecured server


Numerous files have been independently verified with their owners by security researchers and journalists.

The server stored more than 119,000 scanned documents from US and global citizens, such as passports, driving licenses, and security identification, according to a report from security research firm Kromtech. The exposed photo ID scans originated from countries all over the world, including the United States, Mexico, Canada, Australia, Saudi Arabia, Japan, and China.

Upon analysis, Kromtech concluded that the information was linked to cross border payments firm called Bongo International LLC, which was bought by FedEx back in 2014 before being re-launched as FedEx Cross-Border International.

According to the security firm, the server belonged to Bongo International, a company that helped customers with shipping calculations and currency translations.

"The data was part of a service that was discontinued after our acquisition of Bongo", a company spokesperson said and added that they "have found no indication that any information has been misappropriated" and that they will continue their investigation.

Tony Pepper, CEO of data security company Egress Software Technologies Inc, said: "It's alarming that 112,000 sensitive files were left exposed on this server, including data that, if in the wrong hands, could lead to fraud and financial loss for the data subjects involved".

Kromtech said its researchers found the unsecured server on February 5 and it was closed to public access on Wednesday.

"Technically, anybody who used Bongo International services back in 2009-2012 is at risk of having his/her documents scanned and available online for so many years", said Bob Diachenko, Kromtech's chief communications officer. It is unclear if FedEx was aware of the server's existence when it purchased Bongo. Kromtech said in a statement, "This case highlights just how important it is to audit digital assets when a company acquires another and to ensure that customer data is secured and properly stored before, during, and after the sale".

FedEx has issued a statement saying that archived Bongo International account information stored on a third-party server is secure. He went on to say that none of the information was mishandled and the investigation was ongoing. Kromtech said the information may have been available since 2009.