Close Menu
  • Home
  • Articles
    • Attacks
      • BEC
      • Data Breach
      • DDoS
      • Evasion Attacks
      • Injection
      • Malware
      • MITM
      • Phishing
      • Ransomware
      • RCE
      • Social Engineering
      • Spoofing
      • Spyware
    • Business and Policy
      • BCP and DRP
      • GRC
      • Regulations
    • Data Protection
      • DLP
      • DRM
      • Encryption
      • IAM
    • Future, Trends and Insight
      • AI
      • Events & Community
      • Emerging Tech
      • Expert Panel
      • Interviews With Experts
      • Insights
      • Study & Research
    • Resources
      • Guides
      • Tools
      • Training & Education
    • Security
      • API
      • Apps
      • Cloud
      • Critical Infrastructure
      • Endpoint
      • Hardware
      • IoT
      • Mobile
      • Network
      • OT
      • Port Security
      • Security Architecture
      • Software Development
      • Supply Chain
      • Zero Trust
    • Threats and Vulnerabilities
      • Emerging Threats
      • Insider Threats
      • Risk Management
      • Threat Intelligence
      • Zero Day
  • News and Exclusives
    • Latest News
    • ISB Exclusive
    • Positive News
  • Who We Are
    • About Us
    • Information Security Buzz Expert Panel​
    • Write for Us
    • Media Pack
  • Contact Us
  • Newsletter
Facebook X (Twitter) LinkedIn
Facebook X (Twitter) LinkedIn
Information Security BuzzInformation Security Buzz
  • Home
  • Articles
    • Attacks
      • BEC
      • Data Breach
      • DDoS
      • Evasion Attacks
      • Injection
      • Malware
      • MITM
      • Phishing
      • Ransomware
      • RCE
      • Social Engineering
      • Spoofing
      • Spyware
    • Business and Policy
      • BCP and DRP
      • GRC
      • Regulations
    • Data Protection
      • DLP
      • DRM
      • Encryption
      • IAM
    • Future, Trends and Insight
      • AI
      • Events & Community
      • Emerging Tech
      • Expert Panel
      • Interviews With Experts
      • Insights
      • Study & Research
    • Resources
      • Guides
      • Tools
      • Training & Education
    • Security
      • API
      • Apps
      • Cloud
      • Critical Infrastructure
      • Endpoint
      • Hardware
      • IoT
      • Mobile
      • Network
      • OT
      • Port Security
      • Security Architecture
      • Software Development
      • Supply Chain
      • Zero Trust
    • Threats and Vulnerabilities
      • Emerging Threats
      • Insider Threats
      • Risk Management
      • Threat Intelligence
      • Zero Day
  • News and Exclusives
    • Latest News
    • ISB Exclusive
    • Positive News
  • Who We Are
    • About Us
    • Information Security Buzz Expert Panel​
    • Write for Us
    • Media Pack
  • Contact Us
  • Newsletter
Subscribe
Information Security BuzzInformation Security Buzz
Home - News & Analysis - FedEx Customer Documents Exposed In Mass Data Breach
News & Analysis

FedEx Customer Documents Exposed In Mass Data Breach

ISBuzz TeamBy ISBuzz TeamFebruary 16, 2018Updated:July 4, 20245 Mins Read
Share LinkedIn Twitter Facebook Copy Link Email
Rapid Automation and Industrialization of Cyber Attacks
Share
Facebook Twitter LinkedIn Email Copy Link
Quick AI Summary
ChatGPTClaudeGeminiGrokPerplexityDeepSeekCopilot

It has been reported that an unsecured FedEx server was breached, exposing thousands of customers’ personal information, a prominent security research firm discovered earlier this month. Package forwarding service Bongo International was acquired by FedEx in 2014 and now serves as a e-commerce service called FedEx Cross Border. But an unsecured Amazon S3 server, according to the white hat research group Kromtech, was holding more than 100,000 scanned documents including passports, drivers licenses, and security IDs. The white hat group responsibly disclosed the breach.  IT security experts commented below.

Patrick Hunter, Director at One Identity: 

“This is an interesting case where a company does all the right things when they’ve discovered they had a potential weakness.  Mergers and acquisitions are fraught with security pitfalls.  The boundary where the two organisations meet is a weakness; they are bound to have different policies, different systems, incompatible technology and differing cultural views towards cyber security.

FedEx found the issue and plugged the gap, then announced what they had done and why.  All the right things…but are they just lucky?  The data was old but it contained a lot of personal information which could still have caused damage.  I wouldn’t be too sympathetic as they could have solved the problem by better protecting access to all systems further out, nearer the boundaries.  I am not talking about firewalls here, but true access management.  If a hacker should gain access to the network, in the FedEx example, they could have had free rein but if you lock down the access to privileged accounts then the point becomes moot.  The server couldn’t have been accessed without express permission – this can even be done is real time.

Is this just a case of a company finding exposed data before the hacker?  We’ve seen what happens when the scenario is the other way around.  Organisations need look at their security strategies and take the wider view.  Don’t just focus at the server level but at the Identity level, restrict and control those accounts that could run amok in the wrong hands.  I think FedEx did all the right things but maybe they were lucky here, especially with the latest GDPR regulation looming in May.”

Javvad Malik, Security Advocate at AlienVault:

Javvad Malik“Misconfigured AWS S3 buckets have been plaguing many enterprises for some time now. This is despite Amazon rolling out additional controls that email users where an AWS S3 bucket is set to public visibility.

Incidents like this serve as a reminder that cloud environments need to be proactively monitored and accounted for. It can be easy for enterprises to forget cloud assets, which can go unprotected for long periods of time.

With the increased interest in AWS S3 buckets, enterprises need to ensure only those assets are publicly exposed which need to be. Otherwise, it may not be a whitehat that finds the unsecured database, particularly as services like Buckhacker become available.”

Josh Mayfield, Director at FireMon: 

Did you know that 99% of breaches occur because of misconfigurations?  Really, I’m not joking here.  When we look at the sources of all data breaches, it ultimately comes down to something not having the proper controls.  In the case of Bongo/FedEx, we again see the notorious S3 bucket misconfigured to allow unauthorized access.

Until we get a handle on the myths we let proliferate in our heads, we’re never going to get up to the starting line and achieve configuration assurance.  While there is little doubt that trying to stop these kinds of attacks is difficult, the fact is the breaches themselves are not all that difficult. For all of our talk about threat sophistication, most could have been stopped with simple or immediate controls.

We can check for vulnerabilities with ongoing attack simulations.  We can do regular compliance checks with machines that bump our configurations against our security intentions, flagging us when we’ve drifted.  And we can orchestrate changes to all devices and cloud controls to fortify data against such a breach.

It is a myth that breaches come from sophisticated attackers, it is a myth that breaches stem from application weaknesses only, it is a myth that breaches are inevitable, it is a myth that technology won’t help, it is a myth that patching at random will halt the cybercriminal.

Just add a few disciplines and you’ll find yourself in a much stronger security posture.  Use vulnerability management that simulates trouble and patches.  Calibrate your compliance controls to mirror your security intent.  Automate changes when trouble is detected.  These are disciplines where security teams have strength and experience.  We just have to apply it to the entire attack surface – including federated networks after an M&A (like Bongo and FedEx).

Oliver Pinson-Roxburgh, EMEA Director at Alert Logic:

“Yet another S3 breach! We keep seeing these. It’s the upside and downside of cloud computing. Organisations need to monitor S3 bucket permissions. I am confident there are similar issues with other cloud providers, but they are just not surfacing as yet.”

ISBuzz Team
  • ISBuzz Team
    Air Canada Data Breach: BianLian Extortion Group Claims A Massive Heist Contrary To Airline’s Earlier Statement
  • ISBuzz Team
    Unprecedented DDoS Attack Rocks The Web: Tech Giants Reveal A Digital Tsunami
  • ISBuzz Team
    CISA Flags High-Severity Adobe Acrobat Reader Flaw Amid Active Exploits
  • ISBuzz Team
    Curl Security Alert: Patching A Critical Bug Averting Potential Cyber Catastrophe

The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.

Share. Facebook Twitter LinkedIn Email Copy Link

Related Posts

The Real Cost of Inconsistent Third-Party Access

December 18, 20255 Mins Read

What Happens When Devices Cross Borders? The Role of Geofencing in Global IT

August 7, 20256 Mins Read

The Evolving Importance of Identity Governance in FinTech

July 10, 20258 Mins Read
ISB-Bora-Side-Bar

No se ha podido establecer conexión. Error 429

 
ISB-Bora-Side-Bar
Black ISB Logo

Information Security Buzz is an independent resource that provides the experts’ comments, analysis, and opinion on the latest Cybersecurity news and topics

X (Twitter) LinkedIn Facebook RSS

Working With Us

  • About Us
  • Advertise With Us
  • Contact Us

Write For Us

  • How To Contribute

The Pages

  • Privacy Policy
  • Cookie Policy
  • AI Policy
  • Terms & Conditions
  • Copyright Notice

Information Security Buzz and all its contents are copyright © 2014-2025. All rights reserved. All third-party trademarks are recognized.

Type above and press Enter to search. Press Esc to cancel.

Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
  • Manage options
  • Manage services
  • Manage {vendor_count} vendors
  • Read more about these purposes
View preferences
  • {title}
  • {title}
  • {title}