Fedex bought a company that stored 119,000 pieces of scanned customer IDs in a public Amazon cloud server, shut the company down, left the scans online for anyone to download
Fedex acquired a company called Bongo International in 2014; Bongo
specialized in helping North American companies sell overseas and after
the acquisition, Fedex renamed the company FedEx Cross-Border
International.
Bongo and/or Fedex stored 119,000 of its customers scanned pieces of ID
on an Amazon Web Services bucket that had no password or encryption;
these included passport scans, drivers licenses and other docs, each
accompanied by customs forms stating the customer’s full name, home
addresses and phone numbers.
Fedex shut down the division last April, but even then it did not audit its data-handling practices and shut down the archive or at least add a password to it (it’s down now).
Fedex says this is OK because if someone stole this data, they did so
without leaving a trail that Fedex can find. Kromtech, who made the
discovery, says they think the data may have been available since 2009.
