UPDATED 22:02 EST / FEBRUARY 15 2018

CLOUD

FedEx exposes confidential customer data via misconfigured AWS storage

Global shipping giant FedEx Corp. is the latest participant in the hit online series “Let’s Misconfigure Our AWS Storage” after it was revealed today that a company it acquired in 2014 had left confidential customer data sitting on an S3 instance with zero security.

The data came from a company called Bongo International, later renamed FedEx CrossBorder. It provides assistance to retailers selling products online to consumers around the world by calculating shipping and duty calculations and currency conversions. The exposed data, discovered by Kromtech Security Center, included 119,000 scanned documents from U.S. and international citizens including passports, driving licenses and security identification.

FedEx confirmed that the data was exposed online, but told ZDNet that “we have found no indication that any information has been misappropriated and will continue our investigation.”

Discussing the data exposure, Carl Wright, chief revenue officer for AttackIQ Inc., told SiliconANGLE that “sadly, this outcome is all too common for organizations storing customer data on third-party systems.” What’s more, he said, it could have been avoided.

“The attack surface has significantly expanded for many enterprises – without any guarantee of uniform security controls and processes,” Wright said. “Consequently, it’s even more imperative that organizations assume attackers are constantly testing security controls for misconfigurations.”

Varun Badhwar, chief executive officer and co-founder of RedLock Inc., noted that “cloud security breaches due to publicly exposed cloud storage services such as the one at FedEx have plagued the industry for over a year now.” He warned that the problem is not going away anytime soon despite cloud service providers’ efforts to provide additional tools to organizations to detect such misconfigurations. That’s because changes to sharing permissions for these services are being made by users without any security oversight, he said.

“Even if an organization enforces strict monitoring to ensure such mistakes are not made within its own public cloud environment, it still needs to ensure that third-party providers that have access to the organization’s sensitive data are taking similar measures,” Badhwar added.

Brian NeSmith, chief executive officer and co-founder at Arctic Wolf Networks Inc., said that the FedEx data exposure should be a call to arms.

“We need to get our heads out of the clouds, because cloud services are only as secure as you make them,” NeSmith said. “Companies need to start applying the same rigor and discipline to their cloud infrastructure as they do to their on-premises network. Far too often, they make the mistake of thinking the cloud provider is taking care of security, but countless examples of incidents similar to the most recent FedEx one are stark reminders that cloud providers are not.”

Agreeing with NeSmith, Ben Johnson, chief technology officer and co-founder of Obsidian Security Inc., said that the incident, like others, raises the larger issue that many organizations have not yet fully grasped: “Most public cloud providers are not managing their data – but are just providing a platform or infrastructure, so the management protection of data is left up to the companies themselves,” he said. “It’s critical that enterprises understand the risks of the cloud – that availability and uptime also mean that their data can be easily accessed unless they have the right controls in place.”

Picture: mukluk/Flickr

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU