This article is more than 1 year old

When it absolutely, positively needs to be leaked overnight: 120k FedEx customer files spill from AWS S3 silo

Passport scans, drivers licenses, etc, exposed online

Another day, another unsecured Amazon Web Services S3 storage bucket spilling secrets onto the public internet.

This time it's a misconfigured AWS cloud silo belonging to FedEx, which openly exposed an archive of more than 119,000 scanned documents – including passports and drivers licenses – plus customer records including postal addresses.

The leaky data store, which was discovered online by Apple security shop Kromtech, was built by international e-commerce delivery service Bongo International, which FedEx bought in 2014 and closed down three years later. The data is old, but not too old, and would still be very useful indeed for identity thieves.

"Technically, anybody who used Bongo International services back in 2009-2012 is at risk of having his/her documents scanned and available online for so many years," Bob Diachenko, head of communications for Kromtech Security Center, said on Thursday.

"It seems like bucket has been available for public access for many years in a row. Applications are dated within 2009-2012 range, and it is unknown whether FedEx was aware of that 'heritage' when it bought Bongo International."

Western Union

While Western Union wired customers' money, hackers transferred their personal deets


The files belonged to customers in Europe, Mexico, Canada, Saudi Arabia, Kuwait, Japan, Malaysia, China, and Australia. The S3 bucket has since been locked down.

These days there are a lot of folks scanning for open cloud storage folders online, and there is a huge amount of data being left lying around for anyone to find. Amazon has tried to help its customers secure their bit silos, but no one seems to be paying any attention.

Meanwhile, software tools and search engines are emerging to automate the process of finding sensitive and embarrassing information in misconfigured AWS S3 storage. These cloud buckets are by default closed to the public – administrators have to accidentally open them up.

"After a preliminary investigation, we can confirm that some archived Bongo International account information located on a server hosted by a third-party, public cloud provider is secure," a spokesperson for FedEx – once famous for its slogan "When it absolutely, positively has to be there overnight" – told The Register today.

"The data was part of a service that was discontinued after our acquisition of Bongo. We have found no indication that any information has been misappropriated and will continue our investigation." ®

More about


Send us news

Other stories you might like