FedEx is the latest company to have inadvertently left personally identifiable information, publicly exposed on a cloud storage server.
On Feb. 15, security firm Kromtech publicly reported that it discovered an un-secured cloud storage repository, which contained 119,000 scanned documents from both U.S. as well as international citizens. The data came from Bongo International which was acquired in 2014 by FedEx Corp.
“Technically, anybody who used Bongo International services back in 2009-2012 is at risk of having his/her documents scanned and available online for so many years,” Bob Diachenko, head of communications at Kromtech Security Center stated. “Seems like bucket has been available for public access for many years in a row.”
The scanned data that was discovered by Kromtech was collected by Bongo, as part of an application process for individuals to to get delivery of mail through an agent. The scanned information included driver’s licenses, passports and other forms of security identification. Diachenko stated that it’s unknown whether FedEx was aware of the scanned data when it bought Bongo International back in 2014.
What is clear though is that FedEx is now aware of the data and has taken steps to secure it.
“After a preliminary investigation, we can confirm that some archived Bongo International account information located on a server hosted by a third-party, public cloud provider is secure,” FedEx stated. “The data was part of a service that was discontinued after our acquisition of Bongo.”
FedEx added that it found no indication that any information has been misappropriated and the company will continue its investigation.
Amazon S3 Leaks
The data stored by Bongo was hosted in an Amazon S3 (Simple Storage Service) bucket. The data bucket was apparently not properly configured by Bongo, enabling public access by those who knew where to look for the data.
There are multiple tools and methods available to researchers and attackers alike to find potentially exposed Amazon S3 buckets. One such tools is the open-source AWS BucketDump project, which provides a secure way to look for interesting files in S3 Buckets, according to the project’s GitHub project page.
FedEx is certainly not the first, nor will it be the last firm to receive a report that it has somehow left customer information publicly exposed in the cloud. In recent years, multiple sets of security researchers have reported similar incidents. In December 2017, security firm Upguard reported that the information of 123 million Americans was exposed in an Amazon S3 bucket by data analytics firm Alteryx, which is a business partner of consumer credit reporting agency Experian. Other firms that have inadvertently left customer data exposed in the cloud include Accenture and Verizon, among others.
How To Limit the Risk of Cloud Data Leaks
While Amazon S3 cloud data leaks have been often reported, there are a number of steps that organizations can take using Amazon’s own tools to limit risk.
In all of the publicly reported Amazon S3 data leaks, the storage bucket was somehow misconfigured, enabling unintended public access. Amazon has multiple technologies available to its S3 users to discover personally identifiable information in S3 storage buckets, as well as to protect that data.
The Amazon Macie service which was first announced in August 2017 is a machine learning technology to help organizations find confidential information that might be stored in their S3 storage buckets. Amazon also provides encryption capabilities for S3 that were announced in November 2017, enabling organizations to encrypt confidential information that is stored in S3 buckest, helping to limit risk of data leakage.
The Amazon Web Services (AWS) Config service provides additional capabilities for organizations to secure their S3 storage buckets. AWS Config provides policy and configuration settings for Amazon’s cloud services. Amazon improved AWS Config in 2017 with preset rules that enable organizations to block public read and writes to S3 storage instances.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
