Individuals and corporations are opting to use the cloud for storage purposes, some of them for private other for organizational documents with different sensitivity levels and special security configurations and requirements.

An unsecured Amazon Web Services S3 Cloud Storage server exposed 119,000 FedEx customer records (data from 2008-2015), including civilian and military ID cards, resumes, bills, and many more.

Special security and prevention measures should be in place when cloud storage is involved.

Is to say, enforcing security policies and periodically testing to anticipate those findings is a MUST.



Having stuff in the cloud is not the issue, the problem is when the cloud, in this case, AWS S3 (cloud storage) contain sensitive and private data and is NOT suitable secure.

The key issue here is Due Diligence, and managers should exercise it. In this case, Managers should have periodically reviewed those kind of things (with Vulnerability Assessments or Penetration tests) that could put on risk the business.

It was announced first by mackeeper security research, that FedEx exposed 119 000 users records was related to an insecure AWS storage server. The fact is not new, since other companies were affected already by the same issue i.e: Down Jones, Verizon and GOP. Companies should learn the lessons from others and start doing the appropriate due diligence and research… but some decided not to do it.

The main problem :

Acquisitions : FedEx acquire the company called Bongo (2014), which in turned used AWS S3 to store sensitive client information (poorly secured). FedEx bought not only the company but all the Bongo related processes and practices. Bongo stored sensitive information in insecure AWS S3 Storage servers. Although the main responsible was Bongo, FedEx acquire liability and responsibility.

: FedEx acquire the company called Bongo (2014), which in turned used AWS S3 to store sensitive client information (poorly secured). FedEx bought not only the company but all the Bongo related processes and practices. Bongo stored sensitive information in insecure AWS S3 Storage servers. Although the main responsible was Bongo, FedEx acquire liability and responsibility. Poor or none configuration and incorrect settings in the cloud servers (failing to fulfill security policy)

The 119,000 files exposed are drivers’ licenses, work IDs, bills, voting cards, insurance cards, credit cards, and military IDs among others from citizens in the US, Asia, Australia, Europe, and the Middle East.