An unsecured FedEx server was breached, exposing thousands of customers’ personal information, a security research firm discovered earlier this month. Kromtech white hat research group discovered the unsecured Amazon S3 server holding over 100,000 scanned documents including passports, driver licenses and security IDs.
In a statement a FedEx spokesperson said the server has since been secured, and the data wasn’t “misappropriated.”
‘After a preliminary investigation, we can confirm that some archived Bongo International account information located on a server hosted by a third-party, public cloud provider is secure. The data was part of a service that was discontinued after our acquisition of Bongo. We have found no indication that any information has been misappropriated and will continue our investigation.’
>See also: Are you ready to deal with a data breach?
Josh Mayfield, director at FireMon, who said explains that 99% of breaches occur because of misconfigurations. “When we look at the sources of all data breaches, it ultimately comes down to something not having the proper controls. In the case of Bongo/FedEx, we again see the notorious S3 bucket misconfigured to allow unauthorised access.”
“Until we get a handle on the myths we let proliferate in our heads, we’re never going to get up to the starting line and achieve configuration assurance. While there is little doubt that trying to stop these kinds of attacks is difficult, the fact is the breaches themselves are not all that difficult. For all of our talk about threat sophistication, most could have been stopped with simple or immediate controls.”
Alex Heid, white hat hacker and chief research officer at SecurityScorecard said that FedEx shouldn’t be judged for having the data open, but on how it reacted to the breach. “It’s a matter of having a program in place when it happens.”
The reality of the data breach
“It is a myth that breaches come from sophisticated attackers, it is a myth that breaches stem from application weaknesses only, it is a myth that breaches are inevitable, it is a myth that technology won’t help, it is a myth that patching at random will halt the cybercriminal,” said Mayfield.
“Just add a few disciplines and you’ll find yourself in a much stronger security posture. Use vulnerability management that simulates trouble and patches. Calibrate your compliance controls to mirror your security intent. Automate changes when trouble is detected. These are disciplines where security teams have strength and experience. We just have to apply it to the entire attack surface – including federated networks after an M&A (like Bongo and FedEx).”