2017 was the year of the badly configured server, as everyone from the WWE to the GOP leaked millions of records on Americans thanks to a dumb mistake made with Amazon’s S3 server. All it takes is one employee misunderstanding the settings, and data the company thinks is private is in fact public. And the latest company to fall afoul of this is FedEx, which, thanks to a company it bought out, had unknowingly left data of customers around the world available online for years.
Gizmodo reports the trouble started not with FedEx, but a company it bought out in 2014, Bongo. Bongo was sort of an international shipping middleman that helped with currency conversions and calculating shipping costs, and after it was purchased, it became FedEx Cross-Border Services before being shut down a few years later. The data publicly available was worryingly extensive:
The scanned IDs originated from countries all over the world, including the United States, Mexico, Canada, Australia, Saudi Arabia, Japan, China, and several European countries. The IDs were attached to forms that included several pieces of personal information, including names, home addresses, phone numbers, and zip codes.
FedEx has reported that, so far, it hasn’t found any evidence of wrongdoing or improper access, but it’s continuing its investigation into the problem. It appears the server just simply slipped through the cracks, after FedEx bought Bongo, and was missed by internal audits. Once FedEx was alerted to the problem, it found and locked down the server. Still, anybody who used the service between 2009 and 2012 should probably be concerned. And, yet again, it’s a reminder for any business that has an Amazon server to check their settings. If it can happen to FedEx, it can happen to anybody.