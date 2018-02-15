119,000 Passports, Photo IDs of FedEx Customers Found On Unsecured Amazon Server (gizmodo.com) 21
FedEx left scanned passports, drivers licenses, and other documentation belonging to thousands of its customers exposed on a publicly accessible Amazon S3 server, reports Gizmodo. "The scanned IDs originated from countries all over the world, including the United States, Mexico, Canada, Australia, Saudi Arabia, Japan, China, and several European countries. The IDs were attached to forms that included several pieces of personal information, including names, home addresses, phone numbers, and zip codes." From the report: The server, discovered by researchers at the Kromtech Security Center, was secured as of Tuesday. According to Kromtech, the server belonged to Bongo International LLC, a company that aided customers in performing shipping calculations and currency conversations, among other services. Bongo was purchased by FedEx in 2014 and renamed FedEx Cross-Border International a little over a year later. The service was discontinued in April 2017. According to Kromtech, more than 119,000 scanned documents were discovered on the server. As the documents were dated within the 2009-2012 range, its unclear if FedEx was aware of the server's existence when it purchased Bongo in 2014, the company said.
Hell, I don't even have a passport, yet I use FedEx to send/receive stuff all the time.
Why are people giving FedEx passport and other info of that nature?
Because FedEx sends across borders, and a passport is a very useful international ID.
And as the summary says, FedEx technically isn't to blame as all the data was gathered two years before they bought the company that gathered it.
They had three years to establish procedures to detect and prevent this problem. How many years, before they become responsible for the liabilities they purchased?
Who works for FedEx in their IT department... I sure hope he isn't the one who takes the fall for this, because you KNOW that some low level IT guy is going to be crucified for this lapse of security procedures.
Never mind that NONE of this data should EVER live unencrypted on hardware outside of your direct control and only decrypted when needed.... OR that FedEx actually collects such information in the first place....
Man I sure hope it's not his "fault" because he's got a large family to feed there..
If he is the one that violated security policies, then why shouldn't he be fired?
Who do you think put it there? The CEO? Most likely this was some cowboy IT guy taking shortcuts.
They are required by law to do so in many of the countries where they operate.
No, but you can be sure the CEO said the equivalent of "It costs too much money and takes too much time to do this right."
No, you can't be sure of that. Most likely the CEO was told it was being done right. Also, it rarely "costs more" to do it right. My company has never had a public breach, but we have had several security problems that were discovered internally. It was always some knucklehead taking shortcuts, not following procedures, or just screwed up, and the guilty party was being paid just as much as anyone else. The solution was not "spend more money", but "fire the serially incompetent".
Actually FedEx is blaming the company they purchased for this... I guess the IT guy who got laid off after they purchased his company will get the blame.
I was at a doctor's office last week. Patients lining up to have their IDs scanned into the system. I wonder how long before they are for sale on the dark web?
Silly me, I "forgot" my ID at home. Told the receptionist that next time she could look at it to verify that I am who I say I am, but I would not allow it to be scanned.
Push back, citizens!
Well the "ability" to have insecure (meaning public) data on s3 is a necessary part of their service for many use cases.
But the **default** setting on any s3 bucket (the actual term for the resource on their service) is to have it private and can only be read by users that have been granted explicit authority.
That makes this story that much more tragic, because a problem of this nature requires that some fuckwit actually logged into amazon and edited the settings on this bucket to "make public"
