FedEx customer information exposed in data breach

It has been reported that An unsecured FedEx server was breached, exposing thousands of customers’ personal information, a prominent security research firm discovered earlier this month. Package forwarding service Bongo International was acquired by FedEx in 2014 and now serves as a e-commerce service called FedEx Cross Border. But an unsecured Amazon S3 server, according to the white hat research group Kromtech, was holding more than 100,000 scanned documents including passports, drivers licenses, and security IDs. The white hat group responsibly disclosed the breach.

Commenting on this news is Patrick Hunter, Director at One Identity:


“This is an interesting case where a company does all the right things when they’ve discovered they had a potential weakness.  Mergers and acquisitions are fraught with security pitfalls.  The boundary where the two organisations meet is a weakness; they are bound to have different policies, different systems, incompatible technology and differing cultural views towards cyber security.

FedEx found the issue and plugged the gap, then announced what they had done and why.  All the right things…but are they just lucky?  The data was old but it contained a lot of personal information which could still have caused damage.  I wouldn’t be too sympathetic as they could have solved the problem by better protecting access to all systems further out, nearer the boundaries.  I am not talking about firewalls here, but true access management.  If a hacker should gain access to the network, in the FedEx example, they could have had free rein but if you lock down the access to privileged accounts then the point becomes moot.  The server couldn’t have been accessed without express permission – this can even be done is real time.

Is this just a case of a company finding exposed data before the hacker?  We’ve seen what happens when the scenario is the other way around.  Organisations need look at their security strategies and take the wider view.  Don’t just focus at the server level but at the Identity level, restrict and control those accounts that could run amok in the wrong hands.  I think FedEx did all the right things but maybe they were lucky here, especially with the latest GDPR regulation looming in May.”