The FedEx Amazon S3 cloud server contained over 119,000 scanned documents of U.S. and international citizens, including passports, driver's licenses and security IDs, Kromtech said in a prepared statement. Also, the names, home addresses, phone numbers and other personal information of citizens from all over the world were left on the server.
A Closer Look at the FedEx Data Leak
Kromtech security researchers found FedEx's unsecured Amazon S3 server on February 5. The server was set for public access and belonged to Bongo International, which was acquired by FedEx in 2014 and relaunched as the FedEx Cross-Border International service in 2016. However, FedEx Cross-Border was discontinued in April 2017.
Customers who used Bongo International services between 2009 and 2012 were at risk of having their documents scanned and available online, Kromtech Head of Communications Bob Diachenko told ZDNet. Meanwhile, it is unclear whether FedEx knew about the unsecured Amazon S3 server when it purchased Bongo International, Diachenko stated.
There is no indication that any information hosted on the affected server has been "misappropriated," FedEx said in a prepared statement. This information is secure, FedEx noted, and the company will continue to investigate the data leak.
Data Leaks Becoming Major Problems for Many Organizations
FedEx is one of many organizations to leak customer data due to a misconfigured Amazon server. Additional examples include:
- Accenture Cloud: Accenture Cloud mission critical intellectual property (IP) was exposed via an Amazon Web Services (AWS) cloud leak.
- Time Warner Cable: More than 4 million Time Warner Cable customer records were exposed via an AWS cloud leak.
- WWE: A World Wrestling Entertainment (WWE) database leak exposed the personal information of more than 3 million users.
- Dow Jones: About 2.2 million Dow Jones subscribers were affected by a data leak that occurred due to a misconfigured AWS cloud account.
Organizations should invest in continuous security validation through automated testing to address Amazon server leaks, Carl Wright, chief revenue officer at security control validation platform provider AttackIQ, told MSSP Alert. With this approach, organizations can constantly test security controls for misconfigurations, Wright stated, and detect security flaws and gaps faster than ever before.
BuckHacker Introduces Search Engine for Exposed Amazon S3 Buckets
The BuckHacker search engine temporarily enabled end users to explore exposed Amazon cloud servers.
BuckHacker collects Amazon S3 bucket names, captures the bucket's index page, reviews the results and makes this information available for users to search, according to Motherboard. It also enables users to search by bucket name or filename.
BuckHacker was active for eight hours but has been shut down, the company said in a prepared statement. The search engine will be kept offline "for the moment," BuckHacker stated, and the company plans to collaborate with vendors to explore ways to improve the security of Amazon S3 buckets.
Ultimately, BuckHacker shines a light on some of the most common security vulnerabilities in cloud environments, Zohar Alon, CEO of AWS security monitoring solutions provider Dome9, told MSSP Alert. However, BuckHacker is not foolproof, Alon said, and organizations should use tools to continuously monitor their cloud assets and fix exposures and vulnerabilities.