FedEx has confirmed a security breach that exposed about 119,000 scanned documents containing the private information of customers, including passports and driver’s licenses, according to researchers.
The documents were discovered on a publicly available database Feb. 5 by Kromtech, a German security firm, and ultimately determined to belong to Bongo International, a shipping company acquired by FedEx in 2014 and rebranded as FedExCrossBorder prior to shuttering last April, ZDNet first reported Thursday.
Kromtech notified FedEx, who in turn secured the data this Tuesday, Feb. 13, the report said.
“After a preliminary investigation, we can confirm that some archived Bongo International account information located on a server hosted by a third-party, public cloud provider is secure,” confirmed FedEx spokesperson Jim McCluskey. “The data was part of a service that was discontinued after our acquisition of Bongo. We have found no indication that any information has been misappropriated and will continue our investigation.”
Security researchers nonetheless warned the trove of sensitive personal data was likely publicly available for several years prior to being secured this week, potentially putting thousands of individuals around the world at risk.
“Technically, anybody who used Bongo International services back in 2009-2012 is at risk of having his/her documents scanned and available online for so many years,” said Bob Diachenko, Kromtech’s chief communications officer. “Applications are dated within 2009-2012 range, and it is unknown whether FedEx was aware of that ‘heritage’ when it bought Bongo International back in 2014.”
Citizens from all over the world left their scanned IDs – Mexico, Canada, EU countries, Saudi Arabia, Kuwait, Japan, Malaysia, China, Australia – to name a few.
In 2014 FedEx Corp. bought Bongo International and 14 months later, in 2016, relaunched it as FedEx Cross-Border International, to “address international purchasing obstacles with a seamless checkout and delivery approach that accepts over 80 currencies, provides 15 payment options, manages multiple delivery options, and offers credit card fraud protection, all through a single platform”.
However, FedEx Cross-Border service was shut down in April 2017.