FedEx exposes customer records

Global package delivery company FedEx says it has secured some of the customer identification records that were left on an unsecured AWS S3 bucket, and so far has found no evidence that private data was "misappropriated."

The company stored stored more than 119,000 scanned documents from U.S. and international citizens, such as passports, driving licenses, and security identification, on an S3 bucket that was publicly accessible, according to a report from security research firm Kromtech.

Kromtech said its researchers found the unsecured server on Feb. 5 and it was closed to public access on earlier this week.

The data was collected by a company FedEx acquired in 2014, Bongo International, which calculated international shipping prices and provided other services. FedEx later discontinued the service.

"After a preliminary investigation, we can confirm that some archived Bongo International account information located on a server hosted by a third-party, public cloud provider is secure," FedEx spokesman Jim McCluskey said in a statement.

"We have found no indication that any information has been misappropriated and will continue our investigation," McCluskey said.

McCluskey declined to elaborate on what portion of the records were secure, or whether FedEx had notified authorities. The incident affected a tiny portion of FedEx customers globally.

The exposure appears far less disruptive than a cyber attack last year on Fedex's Dutch TNT Express unit, which slashed US$300 million from its quarterly profit.

The Memphis, Tennessee-based company joined a string of companies that reported big drops in earnings because of the NotPetya virus, which hit on June 29, crippling Ukraine businesses before spreading worldwide to shut down shipping ports, factories and corporate offices.

(Reporting by Eric M. Johnson in SeattleEditing by Jonathan Oatis)