More than 110,000 ID documents including passports and driving licences linked to a subsidiary of delivery firm FedEx have been left exposed online, a security firm has revealed.
A leaky cloud database, set to public access, contained the personal information of both US and international citizens from countries including the UK, Japan, Canada, China and Australia, found researchers from Kromtech Security Centre, a division of MacKeeper.
Other documentation, discovered early February, included names, home addresses, phone numbers and zip codes, said a blog post Thursday (15 February).
Upon analysis, Kromtech concluded that the information was linked to cross border payments firm called Bongo International LLC, which was bought by FedEx back in 2014 before being re-launched as FedEx Cross-Border International. Ultimately, the subsidiary was shuttered in April last year.
The leaked citizen data, effectively inherited by FedEx during the acquisition, dated back to 2009, researchers said. The database has now been secured and the data is no longer at risk.
A FedEx spokesperson confirmed to ZDNet that "archived" Bongo data was left online without adequate protection, blaming the exposure on an unnamed third-party company.
Bob Diachenko, head of communications at Kromtech Security Centre, said in the Thursday blog post it was concerning that citizen data had been left online "for many years in a row".
"This case highlights just how important it is to audit digital assets when a company acquires another and to ensure that customer data is secured and properly stored before, during, and after the sale," the researchers continued. "During the integration or migration phase is usually the best time to identify any security and data privacy risks."
ZDNet said that the leaked Bongo data - needed to verify users' identities - also included voting identification, firearms licences and even US military identification cards.
Tony Pepper, CEO of data security company Egress Software Technologies Inc, said: "It's alarming that 112,000 sensitive files were left exposed on this server, including data that, if in the wrong hands, could lead to fraud and financial loss for the data subjects involved.
"When citizens provide such details to organisations in exchange for their services, they have every right to expect their data will be protected throughout its lifecycle – including when it's no longer required. This shows a lack of best practice and human error that, combined, put highly sensitive data at risk. What's more, there's no knowing how many similar scenarios are awaiting discovery."