Identity Documents Exposed in FedEx-Owned Amazon S3 Bucket

More than 119,000 scanned identity documents, including passports and drivers’ licenses, belonging to people from the United States and abroad were exposed in an insecure Amazon S3 storage bucket.

The storage bucket belonged to a company called Bongo International that provided services for cross-border transactions between U.S.-based online merchants and international customers, complete with anti-fraud verification and multicurrency payments. Bongo was acquired in 2014 by FedEx and was later relaunched as FedEx CrossBorder before being shut down last year.

The data in the misconfigured Amazon S3 bucket was collected by Bongo between 2009 and 2012 and had been publicly accessible in the bucket for many years until it was discovered this month by researchers from Kromtech Security Center.

The data includes scanned drivers’ licenses, national ID cards, work ID cards, voting cards, utility bills, resumes, vehicle registration forms, medical insurance cards, firearms licenses, military identification cards and even some credit cards that were used for identity verification purposes, ZDNet reported after reviewing the files. FedEx told ZDNet that the data was from a discontinued service and that it has now been secured.

“During any M&A (mergers and acquisitions) transactions it is important that the company who is selling their assets notify their customers that the business is going to be sold and their private data will be transferred to new ownership,” the Kromtech researchers said in a blog post. “The purchasing company should give customers the option to opt out of their data being transferred and provide a data protection notice.”

The case also highlights why companies should carefully audit the digital assets they inherit when they acquire other companies. Making sure all customer data is properly secured and stored is important; otherwise, companies expose themselves to data breaches and the related costs of dealing with such incidents.

This is just the latest in a long string of cases in which the improper configuration of Amazon S3 storage buckets and other databases stored in public clouds led to customer data being exposed. There’s now even a search engine called “BuckHacker” that allows hackers to easily search through data in publicly exposed S3 buckets.

The service is still in testing phase and is currently offline for maintenance, but reporters at VICE Motherboard had a chance to test it and confirmed that it works. Compared to other available tools for finding exposed Amazon storage buckets, the new search engine is very easy to use and doesn’t require any technical experience, Motherboard reported.

Energy Department Sets Up Cybersecurity Office to Protect Electrical Grid

The U.S. Department of Energy is creating a new office to deal with the increasing number of cyberthreats to the electrical grid.

The Office of Cybersecurity, Energy Security and Emergency Response (CESER) will be led by an assistant secretary who will report to the undersecretary of energy. President Trump’s FY19 budget proposal includes $96 million in funding for the new office.

“DOE plays a vital role in protecting our nation’s energy infrastructure from cyber threats, physical attack and natural disaster, and as Secretary, I have no higher priority,” U.S. Secretary of Energy Rick Perry said in a press release. “This new office best positions the department to address the emerging threats of tomorrow while protecting the reliable flow of energy to Americans today.”

The number of attacks against organizations from the energy sector has increased in recent years. In October, security firm FireEye warned that hackers likely affiliated with the North Korean government launched phishing attacks against electric companies in the United States. More than 20 hacker groups have attempted to gain access to energy sector systems that could be used to cause disruptions, the company said.

Sponsored Content
Upcoming Webinar
This Year at RSA: Don’t Miss The Conversation on DevSecOps!

This Year at RSA: Don’t Miss The Conversation on DevSecOps!

The 2018 RSA conference promises to feature a lively, yet critical discussion on the role of DevSecOps and how this movement is transforming the way organizations are building and securing their software.  Many agree that secure software equals good software. As we have seen in so many recent headlines, the ... Read More
March 22, 2018

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 114 posts and counting.See all posts by lucian-constantin