When it absolutely, positively needs to be leaked overnight: 120k FedEx customer files spill from AWS S3 silo

Passport scans, drivers licenses, etc, exposed online


Another day, another unsecured Amazon Web Services S3 storage bucket spilling secrets onto the public internet.

This time it's a misconfigured AWS cloud silo belonging to FedEx, which openly exposed an archive of more than 119,000 scanned documents – including passports and drivers licenses – plus customer records including postal addresses.

The leaky data store, which was discovered online by Apple security shop Kromtech, was built by international e-commerce delivery service Bongo International, which FedEx bought in 2014 and closed down three years later. The data is old, but not too old, and would still be very useful indeed for identity thieves.

"Technically, anybody who used Bongo International services back in 2009-2012 is at risk of having his/her documents scanned and available online for so many years," Bob Diachenko, head of communications for Kromtech Security Center, said on Thursday.

"It seems like bucket has been available for public access for many years in a row. Applications are dated within 2009-2012 range, and it is unknown whether FedEx was aware of that 'heritage' when it bought Bongo International."

Western Union

While Western Union wired customers' money, hackers transferred their personal deets

READ MORE

The files belonged to customers in Europe, Mexico, Canada, Saudi Arabia, Kuwait, Japan, Malaysia, China, and Australia. The S3 bucket has since been locked down.

These days there are a lot of folks scanning for open cloud storage folders online, and there is a huge amount of data being left lying around for anyone to find. Amazon has tried to help its customers secure their bit silos, but no one seems to be paying any attention.

Meanwhile, software tools and search engines are emerging to automate the process of finding sensitive and embarrassing information in misconfigured AWS S3 storage. These cloud buckets are by default closed to the public – administrators have to accidentally open them up.

"After a preliminary investigation, we can confirm that some archived Bongo International account information located on a server hosted by a third-party, public cloud provider is secure," a spokesperson for FedEx – once famous for its slogan "When it absolutely, positively has to be there overnight" – told The Register today.

"The data was part of a service that was discontinued after our acquisition of Bongo. We have found no indication that any information has been misappropriated and will continue our investigation." ®

Similar topics


Other stories you might like

  • Amazon shows off robot warehouse workers that won't complain, quit, unionize...
    Mega-corp insists it's all about 'people and technology working safely and harmoniously together'

    Amazon unveiled its first "fully autonomous mobile robot" and other machines designed to operate alongside human workers at its warehouses.

    In 2012 the e-commerce giant acquired Kiva Systems, a robotics startup, for $775 million. Now, following on from that, Amazon has revealed multiple prototypes powered by AI and computer-vision algorithms, ranging from robotic grippers to moving storage systems, that it has developed over the past decade. The mega-corporation hopes to put them to use in warehouses one day, ostensibly to help staff lift, carry, and scan items more efficiently. 

    Its "autonomous mobile robot" is a disk-shaped device on wheels, and resembles a Roomba. Instead of hoovering crumbs, the machine, named Proteus, carefully slots itself underneath a cart full of packages and pushes it along the factory floor. Amazon said Proteus was designed to work directly with and alongside humans and doesn't have to be constrained to specific locations caged off for safety reasons. 

    Continue reading
  • AWS adds bare metal support to EKS Anywhere
    And throws some cold water on the 'K8s works best inside a VM' argument

    Amazon Web Services has made a small but important change to its EKS Anywhere on-prem Kubernetes offering – the option to install it on bare metal servers instead of exclusively inside a VMware vSphere environment.

    "Amazon EKS Anywhere on bare metal enables customers to automate all steps from bare metal hardware provisioning to Kubernetes cluster operations using a bundled open source toolset built on the foundation of Tinkerbell and Cluster API," states the cloud colossus's announcement of the offering.

    The offering is free, but AWS generously offers service subscriptions.

    Continue reading
  • AWS sent edgy appliance to the ISS and it worked – just like all the other computers up there
    Congrats, AWS, you’ve boldly gone where the Raspberry Pi has already been

    Amazon Web Services has proudly revealed that the first completely private expedition to the International Space Station carried one of its Snowcone storage appliances, and that the device worked as advertised.

    The Snowcone is a rugged shoebox-sized unit packed full of disk drives – specifically 14 terabytes of solid-state disk – a pair of VCPUs and 4GB of RAM. The latter two components mean the Snowcone can run either EC2 instances or apps written with AWS’s Greengrass IoT product. In either case, the idea is that you take a Snowcone into out-of-the-way places where connectivity is limited, collect data in situ and do some pre-processing on location. Once you return to a location where bandwidth is plentiful, it's assumed you'll upload the contents of a Snowcone into AWS and do real work on it there.

    Continue reading
  • AWS says it will cloudify your mainframe workloads
    Buyer beware, say analysts, technical debt will catch up with you eventually

    AWS is trying to help organizations migrate their mainframe-based workloads to the cloud and potentially transform them into modern cloud-native services.

    The Mainframe Modernization initiative was unveiled at the cloud giant's Re:Invent conference at the end of last year, where CEO Adam Selipsky claimed that "customers are trying to get off their mainframes as fast as they can."

    Whether this is based in reality or not, AWS concedes that such a migration will inevitably involve the customer going through a lengthy and complex process that requires multiple steps to discover, assess, test, and operate the new workload environments.

    Continue reading
  • AWS buys before it tries with quantum networking center
    Fundamental problems of qubit physics aside, the cloud giant thinks it can help

    Nothing in the quantum hardware world is fully cooked yet, but quantum computing is quite a bit further along than quantum networking – an esoteric but potentially significant technology area, particularly for ultra-secure transactions. Amazon Web Services is among those working to bring quantum connectivity from the lab to the real world. 

    Short of developing its own quantum processors, AWS has created an ecosystem around existing quantum devices and tools via its Braket (no, that's not a typo) service. While these bits and pieces focus on compute, the tech giant has turned its gaze to quantum networking.

    Alongside its Center for Quantum Computing, which it launched in late 2021, AWS has announced the launch of its Center for Quantum Networking. The latter is grandly working to solve "fundamental scientific and engineering challenges and to develop new hardware, software, and applications for quantum networks," the internet souk declared.

    Continue reading
  • Elasticsearch server with no password or encryption leaks a million records
    POS and online ordering vendor StoreHub offered free Asian info takeaways

    Researchers at security product recommendation service Safety Detectives claim they’ve found almost a million customer records wide open on an Elasticsearch server run by Malaysian point-of-sale software vendor StoreHub.

    Safety Detectives’ report states it found a StoreHub sever that stored unencrypted data and was not password protected. The security company’s researchers were therefore able to waltz in and access 1.7 billion records describing the affairs of nearly a million people, in a trove totalling over a terabyte.

    StoreHub’s wares offer point of sale and online ordering, and the vendor therefore stores data about businesses that run its product and individual buyers’ activities.

    Continue reading
  • Price hikes, cloud expansion drive record datacenter spending
    High unit costs and fixed capex budgets propelling enterprises cloudwards

    The major hyperscalers and cloud providers are forecast to spend 25 percent more on datacenter infrastructure this year to $18 billion following record investments in the opening three months of 2022.

    This is according to Dell’Oro Group research, which found new cloud deployments and higher per-unit infrastructure costs underpinned capex spending in Q1, which grew at its fastest pace in nearly three years, the report found.

    Datacenter spending is expected to receive an additional boost later this year as the top four cloud providers expand their services to as many as 30 new regions and memory prices trend upward ahead of Intel and AMD’s next-gen processor families, Dell’Oro analyst Baron Fung told The Register

    Continue reading

Biting the hand that feeds IT © 1998–2022