Sunday, February 18, 2018

When it absolutely, positively needs to be leaked overnight: 120k FedEx customer files spill from AWS S3 silo

Another day, another unsecured Amazon Web Services S3 storage bunker spreading secrets on the public Internet.

This time, it's an unconfigured FedEx AWS cloud silo, which openly displays an archive of more than 119,000 scanned documents - including passports and driver's licenses - plus customer records, including postal addresses.

The leaky data store, which was discovered online by Apple's Kromtech security store, was built by Bongo International, an international e-commerce delivery service, which FedEx bought in 2014 and closed three years later. The data is old but not too old and would still be very useful for identity thieves.

"Technically, anyone who has used Bongo International's services in 2009-2012 runs the risk that their documents will be scanned and made available online for many years," says Bob Diachenko, head of communications at Kromtech Security Center.

"It seems that the bucket has been available for public access for many years." The apps are dated in the 2009-2012 range, and it's unclear whether FedEx knew this "legacy" when it bought Bongo International. "

The files came from customers in Europe, Mexico, Canada, Saudi Arabia, Kuwait, Japan, Malaysia, China and Australia. Bucket S3 has been locked since.

Nowadays, there are many people who are looking for open cloud folders online, and there is a huge amount of data around what everyone can find. Amazon has been trying to help its customers secure their bus silos, but no one seems to be paying attention.

Meanwhile, software tools and search engines are automating the process of finding sensitive and embarrassing information in an improperly configured AWS S3 storage. These cloud compartments are closed to the public by default. Administrators must open it accidentally.

"After a preliminary investigation, we can confirm that certain Bongo International account information archived on a server hosted by a third-party public cloud provider is secure," said a spokesman for FedEx, famous for its slogan "When does it happen?" is absolutely positive. at night are "- says The Register today.

"The data was part of a service that was discontinued after our Bongo acquisition, we found no evidence that the information was misused and will continue our investigation."

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.