Security researchers at Website Planet Security Team have discovered a misconfigured Amazon S3 bucket owned by D.W. Morgan, a U.S.-based provider of transportation and logistics services for the manufacturing supply chains in the United States and internationally.
The misconfigured bucket exposed more than 2.5 million files equating to over 100GB of data relating to D.W. Morgan clients’ data and their shipments. Among Morgan’s customers were large businesses from America and around the world, including some Fortune 500 companies, such as Cisco and Ericsson.
The exposed data contained files detailing financial, shipment, transportation, personal and sensitive records, including signatures, full names, attachments, phone numbers, goods ordered, cargo damages, process photos, process details, billing addresses, dates of invoices, shipping barcodes, unknown documents, delivery addresses, facility locations, prices paid for goods, photos of shipments, photos of package labels, images of on-site documents, transportation plans and agreements.
The researchers discovered the insecure AWS S3 bucket on November 12, 2021, and contacted the company over the issue the same day. Four days later, on November 16, D.W. Morgan secured the S3 bucket. It is unclear, whether the database was accessed by malicious actors during the time it was exposed.