I have interviewed too many CISOs to count-who have said that mergers and acquisitions increase security risks to the business.
This is one of those cases, where a company called Bongo, which was acquired by FedEx, left one of its AWS S3 buckets exposed. For years.
And this one was loaded with 119,000 documents, including passport scans:
There were also shipping forms with names and adresses and other identifying information.
Researchers at Kromtech made the discovery. And they say the AWS bucket has now been secured.
At the least, this is embarassing for FedEx. Hopefully no one else found this information.
It is also a reminder to check the S3 bucket settings when your organization goes through its next round of M&A.