119,000 Passports, Photo IDs of FedEx Customers Found On Unsecured Amazon Server (gizmodo.com) 34
FedEx left scanned passports, drivers licenses, and other documentation belonging to thousands of its customers exposed on a publicly accessible Amazon S3 server, reports Gizmodo. "The scanned IDs originated from countries all over the world, including the United States, Mexico, Canada, Australia, Saudi Arabia, Japan, China, and several European countries. The IDs were attached to forms that included several pieces of personal information, including names, home addresses, phone numbers, and zip codes." From the report: The server, discovered by researchers at the Kromtech Security Center, was secured as of Tuesday. According to Kromtech, the server belonged to Bongo International LLC, a company that aided customers in performing shipping calculations and currency conversations, among other services. Bongo was purchased by FedEx in 2014 and renamed FedEx Cross-Border International a little over a year later. The service was discontinued in April 2017. According to Kromtech, more than 119,000 scanned documents were discovered on the server. As the documents were dated within the 2009-2012 range, its unclear if FedEx was aware of the server's existence when it purchased Bongo in 2014, the company said.
Ok, I give up.... (Score:2)
Hell, I don't even have a passport, yet I use FedEx to send/receive stuff all the time.
Why are people giving FedEx passport and other info of that nature?
Re:Ok, I give up.... (Score:4, Insightful)
Because FedEx sends across borders, and a passport is a very useful international ID.
And as the summary says, FedEx technically isn't to blame as all the data was gathered two years before they bought the company that gathered it.
Re: (Score:1)
And as the summary says, FedEx technically isn't to blame as all the data was gathered two years before they bought the company that gathered it.
They had three years to establish procedures to detect and prevent this problem. How many years, before they become responsible for the liabilities they purchased?
Re: (Score:2)
Legally, "it depends". Parent companies are usually not liable for the acts of subsidiaries, but there tend to be a pattern of exceptions to this rule:
1) Undocumented transfers of funds and the subsidiary doing business under the name of the parent
2) The subsidiary doesn't own much of anything to pay back liabilities
3) Subsidiary avoids ability to pay by transferring assets to the parent (fraud)
https://www.invigorlaw.com/whe... [invigorlaw.com]
Re: (Score:2)
Because FedEx sends across borders, and a passport is a very useful international ID.
And as the summary says, FedEx technically isn't to blame as all the data was gathered two years before they bought the company that gathered it.
I have sent literally tonnes of stuff overseas (I mean literally, most of it commercial goods) and not once have I been asked for a passport, let alone my passport, to send goods. This to and from Europe, Australia, the UK, Colombia and the Philippines amongst others.
FedEx should not be storing passports... in fact it would be illegal to do so under Australian or UK data protection laws.
Re: (Score:2)
Since when do you have to show an ID, much less a passport to mail something across borders internationally?
I've never had to do that before either....
Re: (Score:2)
I recently ordered an e-cig as a present for my mother. Since e-cigs and their fluids are linked to nicotine, the seller by law required that they needed to see ID when it was delivered. One of the options for ID was my passport.
This wasn't even international, as I recall, but from Germany to Germany.
I know a guy... (Score:2)
Who works for FedEx in their IT department... I sure hope he isn't the one who takes the fall for this, because you KNOW that some low level IT guy is going to be crucified for this lapse of security procedures.
Never mind that NONE of this data should EVER live unencrypted on hardware outside of your direct control and only decrypted when needed.... OR that FedEx actually collects such information in the first place....
Man I sure hope it's not his "fault" because he's got a large family to feed there..
Re: (Score:2)
you KNOW that some low level IT guy is going to be crucified for this lapse of security procedures.
If he is the one that violated security policies, then why shouldn't he be fired?
Never mind that NONE of this data should EVER live unencrypted on hardware outside of your direct control
Who do you think put it there? The CEO? Most likely this was some cowboy IT guy taking shortcuts.
... OR that FedEx actually collects such information in the first place....
They are required by law to do so in many of the countries where they operate.
Re: (Score:1)
"Who do you think put it there? The CEO? "
No, but you can be sure the CEO said the equivalent of "It costs too much money and takes too much time to do this right."
Re: (Score:2)
No, but you can be sure the CEO said the equivalent of "It costs too much money and takes too much time to do this right."
No, you can't be sure of that. Most likely the CEO was told it was being done right. Also, it rarely "costs more" to do it right. My company has never had a public breach, but we have had several security problems that were discovered internally. It was always some knucklehead taking shortcuts, not following procedures, or just screwed up, and the guilty party was being paid just as much as anyone else. The solution was not "spend more money", but "fire the serially incompetent".
Re: (Score:3)
Actually FedEx is blaming the company they purchased for this... I guess the IT guy who got laid off after they purchased his company will get the blame.
yup (Score:2)
Re: (Score:2)
I was at a doctor's office last week. Patients lining up to have their IDs scanned into the system. I wonder how long before they are for sale on the dark web?
Silly me, I "forgot" my ID at home. Told the receptionist that next time she could look at it to verify that I am who I say I am, but I would not allow it to be scanned.
Push back, citizens!
Re: The real question is (Score:1)
Re: (Score:2)
Well the "ability" to have insecure (meaning public) data on s3 is a necessary part of their service for many use cases.
But the **default** setting on any s3 bucket (the actual term for the resource on their service) is to have it private and can only be read by users that have been granted explicit authority.
That makes this story that much more tragic, because a problem of this nature requires that some fuckwit actually logged into amazon and edited the settings on this bucket to "make public"
How that happ
Re: (Score:2)
Roll on May (Score:2)
Roll on May 2018. The EU GDPR regulations kick in, and this shit means companies get shut down.
If this happens after May, Fedex companies in all European nations will be obligated to report themselves to their respective Information Commissioners Office. The ICO will then investigate and has the power to fine them €20 million, or 4% of the *global* turnover of the whole company (whichever is the greater). So for the likes of Fedex (with global revenue measured in billions), that could run into hundreds
A couple years ago (Score:2)
So I had to go down to the depot to get the package. First she asks for ID - I asked was she law enforcement? If no then you cannot see it. She places the package on the counter i pick it up and walk out. She chases after me because I didn't sign for it either. It was too funny.