Personal information of thousands of FedEx customers worldwide was exposed on the web due to an Amazon Web Services (AWS) cloud storage server which was not secured with a password. Security researchers from Kromtech Security found the open AWS bucket which contained 119,000 scanned documents, including passports, drivers’ licenses and Applications for Delivery of Mail Through Agent forms, which contain names, home addresses, phone numbers and ZIP codes. IT security experts commented below.
Willy Leichter, Vice President of Marketing at Virsec Systems:
“This story keeps repeating as often as Groundhog Day. Many data breaches don’t involve sophisticated hackers – just a careless IT person turning on a cloud server, ignoring the security settings, and copying files that should be under strict lock and key. It’s naïve to think that these accidents won’t get discovered. Hackers are continually scanning for new servers and probing for laxed security. If you turn on a random AWS server, that IP address will be scanned by hackers within minutes.”
Josh Mayfield, Cloud Security Expert at FireMon:
“Did you know that 99 percent of breaches occur because of misconfigurations? Really, I’m not joking here. When we look at the sources of all data breaches, it ultimately comes down to something not having the proper controls. In the case of Bongo/FedEx, we again see the notorious S3 bucket misconfigured to allow unauthorized access.
Until we get a handle on the myths we let proliferate in our heads, we’re never going to get up to the starting line and achieve configuration assurance. While there is little doubt that trying to stop these kinds of attacks is difficult, the fact is the breaches themselves are not all that difficult. For all of our talk about threat sophistication, most could have been stopped with simple or immediate controls.
We can check for vulnerabilities with ongoing attack simulations. We can do regular compliance checks with machines that bump our configurations against our security intentions, flagging us when we’ve drifted. And we can orchestrate changes to all devices and cloud controls to fortify data against such a breach.
It is a myth that breaches come from sophisticated attackers, it is a myth that breaches stem from application weaknesses only, it is a myth that breaches are inevitable, it is a myth that technology won’t help, it is a myth that patching at random will halt the cybercriminal.
Just add a few disciplines and you’ll find yourself in a much stronger security posture. Use vulnerability management that simulates trouble and patches. Calibrate your compliance controls to mirror your security intent. Automate changes when trouble is detected. These are disciplines where security teams have strength and experience. We just have to apply it to the entire attack surface – including federated networks after an M&A (like Bongo and FedEx).”
Michael Patterson, CEO at Plixer:
“If this vulnerability had been identified after May 25th, when the General Data Protection Regulation (GDPR) goes into effect, and if personally identifiable information for EU citizens was shown to have been breached, this could have be a finable offense for FedEx. GDPR is very specific in cases such as this to place ultimate responsibility on the Data Controllers (in case FedEx). Amazon essentially rents a platform for the storage of data, but security configurations for S3 buckets lies with the data owner. This S3 bucket may have been created by another organization, prior to FedEx’s acquisition, but this would not have exonerated them from the responsibility of data confidentiality. GDPR will change the game for organizational responsibility. Every organization should quickly audit their cloud implementations and look for misconfigured S3 buckets. Recently Amazon announced new features to help customers protect their data hosted in the cloud.”
Mike Schuricht, VP Product Management at Bitglass:
“Identifying specific attack vectors like misconfigured, public AWS buckets is now a simple act for nefarious individuals. There are plenty of tools available today, similar to the BuckHacker search engine, that easily detect and take advantage of misconfigurations in public cloud apps. Given how readily available discovery tools are for attackers, ensuring corporate infrastructure is not open to the public internet should be considered table stakes for enterprise IT. Add FedEx to the laundry list of organizations with deep pockets and deep security resources who have fallen victim to a very basic, yet critical error.
One of the challenges with configuring cloud applications is ensuring that all access methods are secure and that the threat of a breach is mitigated. An effective way to address these threats is to implement a system that provides visibility over cloud data, alerts for high-risk configurations, and automatic, real-time protection mechanisms. Regulated organizations in healthcare and financial services are keenly aware of this challenge and make security a blocking requirement before any new applications can be deployed.”
