Slashdot Mirror

← Back to Stories (view on slashdot.org)

119,000 Passports, Photo IDs of FedEx Customers Found On Unsecured Amazon Server (gizmodo.com)

Posted by BeauHD on from the data-breach dept.

FedEx left scanned passports, drivers licenses, and other documentation belonging to thousands of its customers exposed on a publicly accessible Amazon S3 server, reports Gizmodo. "The scanned IDs originated from countries all over the world, including the United States, Mexico, Canada, Australia, Saudi Arabia, Japan, China, and several European countries. The IDs were attached to forms that included several pieces of personal information, including names, home addresses, phone numbers, and zip codes." From the report: The server, discovered by researchers at the Kromtech Security Center, was secured as of Tuesday. According to Kromtech, the server belonged to Bongo International LLC, a company that aided customers in performing shipping calculations and currency conversations, among other services. Bongo was purchased by FedEx in 2014 and renamed FedEx Cross-Border International a little over a year later. The service was discontinued in April 2017. According to Kromtech, more than 119,000 scanned documents were discovered on the server. As the documents were dated within the 2009-2012 range, its unclear if FedEx was aware of the server's existence when it purchased Bongo in 2014, the company said.

34 comments

  1. Ok, I give up.... by cayenne8 · · Score: 1
    ...WTF would FedEx need scanned passports for ANYTHING?

    Hell, I don't even have a passport, yet I use FedEx to send/receive stuff all the time.

    Why are people giving FedEx passport and other info of that nature?

    --
    Light travels faster than sound. This is why some people appear bright until you hear them speak.........
    1. Re:Ok, I give up.... by Calydor · · Score: 3, Insightful

      Because FedEx sends across borders, and a passport is a very useful international ID.

      And as the summary says, FedEx technically isn't to blame as all the data was gathered two years before they bought the company that gathered it.

      --
      -=This sig has nothing to do with my comment. Move along now=-
    2. Re:Ok, I give up.... by Anonymous Coward · · Score: 1

      And as the summary says, FedEx technically isn't to blame as all the data was gathered two years before they bought the company that gathered it.

      They had three years to establish procedures to detect and prevent this problem. How many years, before they become responsible for the liabilities they purchased?

    3. Re:Ok, I give up.... by Anonymous Coward · · Score: 0

      I send stuff across the boarder with Fedex frequently (Canada->US and Canada->Asia). I've never been asked for my passport.

    4. Re:Ok, I give up.... by Anonymous Coward · · Score: 0

      Quite a lot of countries want identification when posting cross-border for custom clearance (tax and duties.)

      Fedex might be required by those countries to -- at least temporarily -- collect that information.

    5. Re:Ok, I give up.... by mjwx · · Score: 1

      Because FedEx sends across borders, and a passport is a very useful international ID.

      And as the summary says, FedEx technically isn't to blame as all the data was gathered two years before they bought the company that gathered it.

      I have sent literally tonnes of stuff overseas (I mean literally, most of it commercial goods) and not once have I been asked for a passport, let alone my passport, to send goods. This to and from Europe, Australia, the UK, Colombia and the Philippines amongst others.

      FedEx should not be storing passports... in fact it would be illegal to do so under Australian or UK data protection laws.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
    6. Re:Ok, I give up.... by cayenne8 · · Score: 1

      Because FedEx sends across borders, and a passport is a very useful international ID.

      Since when do you have to show an ID, much less a passport to mail something across borders internationally?

      I've never had to do that before either....

      --
      Light travels faster than sound. This is why some people appear bright until you hear them speak.........
    7. Re:Ok, I give up.... by bondsbw · · Score: 1

      Legally, "it depends". Parent companies are usually not liable for the acts of subsidiaries, but there tend to be a pattern of exceptions to this rule:

      1) Undocumented transfers of funds and the subsidiary doing business under the name of the parent
      2) The subsidiary doesn't own much of anything to pay back liabilities
      3) Subsidiary avoids ability to pay by transferring assets to the parent (fraud)

      https://www.invigorlaw.com/whe...

      --
      All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
    8. Re:Ok, I give up.... by Anonymous Coward · · Score: 0

      I send stuff across the boarder with Fedex frequently (Canada->US and Canada->Asia). I've never been asked for my passport.

      It seems that passport copied is required when you are dealing with import/export with China.

    9. Re:Ok, I give up.... by Anonymous Coward · · Score: 0

      Even though I agreed with you, but you wouldn't be affected if you aren't dealing with China. I believe it is a part of Chinese law.

    10. Re:Ok, I give up.... by Calydor · · Score: 1

      I recently ordered an e-cig as a present for my mother. Since e-cigs and their fluids are linked to nicotine, the seller by law required that they needed to see ID when it was delivered. One of the options for ID was my passport.

      This wasn't even international, as I recall, but from Germany to Germany.

      --
      -=This sig has nothing to do with my comment. Move along now=-
  2. I know a guy... by bobbied · · Score: 1

    Who works for FedEx in their IT department... I sure hope he isn't the one who takes the fall for this, because you KNOW that some low level IT guy is going to be crucified for this lapse of security procedures.

    Never mind that NONE of this data should EVER live unencrypted on hardware outside of your direct control and only decrypted when needed.... OR that FedEx actually collects such information in the first place....

    Man I sure hope it's not his "fault" because he's got a large family to feed there..

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    1. Re:I know a guy... by ShanghaiBill · · Score: 1

      you KNOW that some low level IT guy is going to be crucified for this lapse of security procedures.

      If he is the one that violated security policies, then why shouldn't he be fired?

      Never mind that NONE of this data should EVER live unencrypted on hardware outside of your direct control

      Who do you think put it there? The CEO? Most likely this was some cowboy IT guy taking shortcuts.

      ... OR that FedEx actually collects such information in the first place....

      They are required by law to do so in many of the countries where they operate.

    2. Re:I know a guy... by Anonymous Coward · · Score: 1

      "Who do you think put it there? The CEO? "

      No, but you can be sure the CEO said the equivalent of "It costs too much money and takes too much time to do this right."

    3. Re:I know a guy... by bobbied · · Score: 2

      Actually FedEx is blaming the company they purchased for this... I guess the IT guy who got laid off after they purchased his company will get the blame.

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    4. Re:I know a guy... by ShanghaiBill · · Score: 1

      No, but you can be sure the CEO said the equivalent of "It costs too much money and takes too much time to do this right."

      No, you can't be sure of that. Most likely the CEO was told it was being done right. Also, it rarely "costs more" to do it right. My company has never had a public breach, but we have had several security problems that were discovered internally. It was always some knucklehead taking shortcuts, not following procedures, or just screwed up, and the guilty party was being paid just as much as anyone else. The solution was not "spend more money", but "fire the serially incompetent".

  3. You ask WHY by Anonymous Coward · · Score: 0

    RememberFedex bought Kinko's which used to copy people's documents, paperwork, sometimes their licenses, and passports. When yobuy a company as large as that, then you buy into another one with even more sensitive stuff, then I guess you pay the piper.But their focus was shipping, not documents, which was kept on some hardware somewhere.

  4. yup by fluffernutter · · Score: 1

    This is why I won't use any service that needs me to take a picture of my ID for uploading. Even if you put watermarks all over it, it is very risky. Apparently a lot of people will do things like this without thinking twice about it.

    --
    Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
    1. Re:yup by Tokolosh · · Score: 1

      I was at a doctor's office last week. Patients lining up to have their IDs scanned into the system. I wonder how long before they are for sale on the dark web?

      Silly me, I "forgot" my ID at home. Told the receptionist that next time she could look at it to verify that I am who I say I am, but I would not allow it to be scanned.

      Push back, citizens!

      --
      Prove anything by multiplying Huge Number times Tiny Number
  5. The real question is by Anonymous Coward · · Score: 0

    Why the fuck does amazon provide the ability to have insecure data/servers??
    They operate on a open network why there is an option to not have at least a password is beyond stupid!!!

    1. Re: The real question is by daniel.w.wood · · Score: 1

      You apparently have no idea how S3 works.

    2. Re:The real question is by spatley · · Score: 1

      Well the "ability" to have insecure (meaning public) data on s3 is a necessary part of their service for many use cases.
      But the **default** setting on any s3 bucket (the actual term for the resource on their service) is to have it private and can only be read by users that have been granted explicit authority.
      That makes this story that much more tragic, because a problem of this nature requires that some fuckwit actually logged into amazon and edited the settings on this bucket to "make public"
      How that happened, is a simple one-D-ten-T (1D10T) class of problem.

  6. The real question by Anonymous Coward · · Score: 0

    Why is there an option to setup a data store without any protection???

    1. Re:The real question by AHuxley · · Score: 1

      The US gov likes collecting plain text.

      --
      Domestic spying is now "Benign Information Gathering"
  7. uh ... by Hugh+Jorgen · · Score: 0

    S3 is a Service, not a "Server."

  8. It's obnoxious calling out Amazon in the title by Anonymous Coward · · Score: 0

    The title makes it sound like Amazon has lousy security.

    Somebody rented a server from amazon; it could have been from anyone. There's no reason to call them out in the title.

  9. Re:I know 2-cent advicea guy... by Anonymous Coward · · Score: 0

    Well I hope he hasn't been on anybody's sh*tlist, because you know how corporate politics works. If he's low-tier man on the totem pole, he better start playing it smart now.

  10. Roll on May by coofercat · · Score: 1

    Roll on May 2018. The EU GDPR regulations kick in, and this shit means companies get shut down.

    If this happens after May, Fedex companies in all European nations will be obligated to report themselves to their respective Information Commissioners Office. The ICO will then investigate and has the power to fine them €20 million, or 4% of the *global* turnover of the whole company (whichever is the greater). So for the likes of Fedex (with global revenue measured in billions), that could run into hundreds of millions of Euro. If Fedex wants to deliver (or receive) a parcel in Europe ever again, they'll pay up. Otherwise, they'll have to cease trading in Europe (and no, popping up as Fexde shortly afterwards as an attempt to evade the fine won't wash either).

    Of course, we have no way to know how the ICO will react to things like this, so it may not be as bad as all that. Leaving stuff on a publicly accessible server is unlikely to go down well though. Passport picture pages seem like a pretty bad thing to lose too, so again, unlikely to go down well.

  11. A couple years ago by kilodelta · · Score: 1

    I ordered a pair of sneakers. They of course shipped via UPS who in my area is more famous for doing tag and run than delivering packages.

    So I had to go down to the depot to get the package. First she asks for ID - I asked was she law enforcement? If no then you cannot see it. She places the package on the counter i pick it up and walk out. She chases after me because I didn't sign for it either. It was too funny.

    1. Re:A couple years ago by Anonymous Coward · · Score: 0

      You sound like a right jerk. "If no then you cannot see it". Well, then maybe you can't have the package if you can't show you are the person on the label.

    2. Re:A couple years ago by Anonymous Coward · · Score: 0

      Yeah. He'll be the same one whining like a little bitch that they don't verify anything when some random person walks in and steals his next pair of shitty shoes.

  12. You want my passport? by Anonymous Coward · · Score: 0

    I go through this when looking for dedicated servers sometimes. Leaseweb is a particularly bad one for that, and it's why they've lost thousands of dollars of my business over the years. Online and even OVH have no issue with me renting European servers without needing to see a scanned copy of a document that's really important to me.

    My standard response to a passport request over the internet has become "suck my dick." It goes something like this: Them: "Thank you for your order! Before we can continue, we require a copy of your passport or similar photo identification for our records." Me: "Suck my dick." (either that or straight up silence)

    To date, nobody has ever broken into a server (or freely accessed it, well done FedEx) and stolen a scan of my passport, because I'm not crazy enough to leave that kind of thing in the hands of an incompetent retard playing security expert.