Bongo International/FedEx
Original Release Date: 2/16/2018
Summary
Kromtech security researchers discovered an Amazon S3 bucket set for public access originally belonging to Bongo International, a company that was bought by FedEx in 2014. The exposed bucket contained drivers' licenses, national ID cards, work ID cards, voting cards, utility bills, resumes, vehicle registration forms, medical insurance cards, firearms licenses, US military identification cards, and credit cards that customers used to verify their identity with the FedEx division. Kromtech contactedZDNet reporter, Zack Whittaker, who was able to get the bucket secured and removed from public access.
Recommendations
The NJCCIC recommends administrators of Amazon S3 storage buckets review our previous NJCCIC Cyber Alert on the risks associated with misconfigured S3 buckets, audit their security settings, and implement the recommended mitigation strategies provided as soon as possible. Bongo International and FedEx customers whose information may have been exposed should closely monitor their financial banking statements and consider placing a security freeze on their credit files by contacting the three major credit bureaus.
The NJCCIC is a component organization within the New Jersey Office of Homeland Security and Preparedness. We are the State's one-stop-shop for cyber threat analysis, incident reporting, and information sharing and are committed to making New Jersey more resilient to cyber threats by spreading awareness and promoting the adoption of best practices.
View our Privacy Policy here.
View our Site Index here.