Company name and location: D.W. Morgan, headquartered in the USA
Size (in GB and amount of records): 100+ GB of data, over 2.5 million files
Data Storage Format: AWS S3 bucket
Countries Affected: Worldwide
The Website Planet security team discovered a data breach affecting D.W. Morgan, a multinational supply chain management and logistics company based in the United States.
An Amazon S3 bucket owned by D.W. Morgan was left accessible without authorization controls in place, exposing sensitive data relating to shipments and the company’s clients.
As a market leader, D.W. Morgan provides services to some of the biggest companies in the world and there are major Fortune 500 organizations with data exposed on the open bucket.
Customer Data Exposed
An Amazon S3 bucket owned by D.W. Morgan was misconfigured, exposing more than 2.5 million files equating to over 100GB of data. These files relate to D.W. Morgan’s clients and their shipments.
Among these clients were huge businesses from America and around the world, including some Fortune 500 companies.
We found five different datasets on the bucket. Each dataset was stored in a corresponding folder.
Three of these datasets contained sensitive client data and employee PII:
- Transportation plans & agreements
- Process photos
Two datasets appeared to expose PII and sensitive data, though, we are not sure exactly whom (or, in some cases, “what”) this data is exposing:
- Unknown documents
Transportation plans & agreements outlined every step of the shipment process for each exposed D.W. Morgan client. This information included the agreed course of action for delivery drivers, warehouse staff, and security staff. There were more than 150 of these files on the bucket which exposed forms of sensitive client data and employee PII:
- Process details, incl. agreed procedure for loading, delivery, and security of goods.
- Facility locations of clients’ facilities.
- Full names of client, third-party, and D.W. Morgan employees.
- Phone numbers (office and mobile) of client, third party, and D.W. Morgan employees.
- Email addresses of client, third party, and D.W. Morgan employees.
Process photos contained images taken as part of the shipment process. These images were likely captured by employees to record shipments and documents in accordance with D.W. Morgan’s standard operating procedure. There were over 800,000 of these files on the bucket, around 400,000 of which were unique. These files exposed sensitive client data, including:
- Images of on-site documents, e.g. bills of lading
- Cargo damages of shipments
- Photos of shipments
- Photos of package labels
Attachments include invoices, shipping labels, and packing lists that likely come from D.W. Morgan’s CMS or email system. These files contain information about D.W. Morgan’s clients and employees of third parties (i.e. the suppliers of D.W. Morgan’s clients). There were over 10,000 of these files on D.W. Morgan’s bucket which leaked examples of sensitive client data and employee PII:
- Goods ordered
- Prices paid for goods
- Delivery addresses
- Billing addresses
- Dates of invoices
- Full names of third party employees
- Phone numbers of third party employees
- Email addresses of third party employees
- Shipping barcodes
The final two datasets expose some forms of data, although, we’re not completely sure who this data belongs to.
Signatures featured on the bucket. While there was no additional information about signatures, presumably they relate to shipment pickups/drop-offs. They could expose employees of D.W. Morgan or its clients. We found over 1.5 million of these files on the bucket. Signatures exposed PII:
- Digital signatures (written, not scanned)
- Full names, identifiable in some signatures
Unknown documents featured on the bucket, too. There were over 100,000 of these files. Unknown documents seemed to show codes along with locations and company names. However, without more information available it’s difficult to discern who or what these files expose.
D.W. Morgan’s open Amazon S3 bucket was live and being updated at the time of discovery. We found files dating from 2013 to late 2021 on the bucket.
Amazon isn’t responsible for the management of D.W. Morgan’s bucket and, therefore, isn’t at fault for this data exposure.
We know that numerous businesses are affected by this data breach.
Many of the exposed shipment processes in transportation plans & agreements regarded high-security loads for D.W. Morgan’s clients. What’s more, deliveries for huge corporations were exposed in files, including the Fortune 500 company Cisco and the Global 500 company Ericsson. Another large business, Life Technologies, was also exposed in files.
We know these businesses are clients as they’re referenced in D.W. Morgan’s official LinkedIn bio.
Transportation plans & agreements also exposed the personal data of employees at client businesses, third-party businesses (such as goods suppliers), and D.W. Morgan.
You can see evidence of transportation plans and agreements for the aforementioned clients below.
Process photos featured photos of various types, such as images of shipments, packages, labels, and documents. Some photos picture damaged packages. One can only assume photos were taken by D.W. Morgan drivers and/or depot employees.
You can see evidence of process photos below.
Attachments files were dated from November 2017 to late 2021. Presumably, these attachments were collected from D.W. Morgan’s CMS or email system. Many of the invoices detailed high-value orders worth around US$300,000.
You can see evidence of attachments in the following images.
Signatures were found that dated anywhere from June 2013 to late 2021. Without more information, it’s impossible to discern whether these files have exposed the data of clients or D.W. Morgan employees. In other words, are the signatures from drivers, depot staff, employees at delivery locations, or any other relevant persons?
You can see examples of signatures in the images below.
Finally, unknown documents expose various “inbound” and “outbound” details and company names. We believe they relate to shipments. However, it’s difficult to know this for certain without more information or a better understanding of relevant processes.
You can see evidence of an unknown document in the following image.
We cannot know whether bad actors acquired the bucket’s content. If malicious actors have accessed the bucket, D.W. Morgan and its clients could be targeted with criminal activities.
D.W. Morgan could also face legal sanctions from several jurisdictions.
Who was Affected?
D.W. Morgan is a business-to-business brand and, therefore, the company’s open AWS S3 bucket exposed the information of client businesses.
Specifically, some exposed clients feature on Fortune’s list of the 500 largest companies in the US. Specifically, some exposed clients feature on Fortune’s list of the 500 largest companies in the US, including Cisco. While Ericsson is ranked as the 480th largest company on the planet in Fortune’s “Global 500” list.
D.W. Morgan’s operations are worldwide. Owing to the scope and size of D.W. Morgan’s trade, clients from nations around the world are affected.
Primarily, the exposed data relates to the shipments of client businesses. However, there are employees from client businesses, third-party businesses, and D.W. Morgan with names and contact details exposed.
Who Exposed the Data?
Founded in 1990, D.W. Morgan Company, Inc. provides transportation and logistics services for manufacturing supply chains throughout the United States and the rest of the world. D.W. Morgan doesn’t just handle the delivery of goods, however. The company uses its industry knowledge to improve the efficiency and cost-effectiveness of its clients’ supply chains.
D.W. Morgan is headquartered in Carson City, Nevada, USA, and generates an estimated annual turnover of US$240 million. D.W. Morgan operates offices and distribution centers in 12 more locations throughout the USA, plus one location in Mexico, one in the Netherlands, and seven more locations throughout East and Southeast Asia.
We know the open AWS S3 bucket belongs to D.W. Morgan because of references to the company in files.
Impact on Clients
While we cannot and do not know whether malicious actors have accessed the bucket’s content, there are various risks that exposed clients could face if anyone has downloaded or read the sensitive data stored on D.W. Morgan’s misconfigured bucket.
In particular, businesses could experience criminal activities and forms of cybercrime as a result of the open bucket.
Phishing & Malware
Several client employees have had their full names and contact details exposed. Hackers could target these people with phishing attacks and malware.
Hackers could call or message client employees, referencing details of shipments (like prices or goods ordered) to masquerade as a colleague, D.W. employee, or a representative of a supplier. Cybercriminals could even use details of shipment procedures to act as a delivery driver or depot employee fulfilling their role in the process.
Once the client employee trusts the hacker, the hacker could attempt to extract more information from the employee. The hacker may ask for personal information from the victim, or, the hacker could phish for industry secrets, intellectual properties, and other forms of sensitive company data that relate to the client business.
A cybercriminal could also convince the victim to click on a malicious link. Once clicked, malicious links can download malicious software (malware) onto the user’s device that supplements other forms of data collection and cybercrime.
D.W. Morgan staff and employees from third-party businesses have had details exposed, too, which means hackers could feasibly modify their approach to phish for data from additional organizations.
Fraud & Scams
Similarly, cybercriminals could pose as a colleague, D.W. Morgan employee, or third party supplier to conduct fraud and scams.
Cybercriminals could contact client businesses and their employees, referencing shipment details to build trust. From here, hackers could target employees and client businesses with various scams—schemes that are designed to trick people or organizations into giving them money.
For example, one possible outcome is a fake invoice scam. With invoices present on the bucket, hackers could convince client businesses that they need to pay charges for goods or D.W. Morgan services. The client’s payment would be funneled into an illegitimate bank account and collected by the hacker.
Theft of Goods
There was a myriad of details about shipments and internal processes exposed on D.W. Morgan’s open bucket. Criminals could acquire the content of the bucket to target depots, delivery locations, and client facilities with theft.
Hackers could use the bucket’s data to estimate the location of high-value shipments, even masquerading as a depot or a D.W. Morgan employee to cover their tracks or acquire more information. For example, a criminal could ring facilities on a shipment’s route to find out which facilities have so far received goods. With enough information, a criminal could intercept and steal a shipment’s goods.
Third-party staff, client staff, D.W. depot staff, and delivery drivers could, therefore, also be at risk of confrontation with a criminal.
Impact on D.W. Morgan
D.W. Morgan could be confronted with various damages of its own following the company’s data breach. Impacts could come in the form of legal sanctions.
As mentioned above, D.W. Morgan and its staff could be affected by phishing, scams, and theft of goods. Rival corporate entities could also take an interest in D.W. Morgan’s bucket’s content.
Data Privacy Violations
D.W. Morgan operates from locations in 10 different nation-states and the company’s services are global. D.W. Morgan’s open bucket’s content reflects the international scope of the company’s business with exposed clients from several different nations.
This means D.W. Morgan is likely to face investigation from numerous jurisdictions.
D.W. Morgan is based in the US and primarily operates within its home nation. This means an inquiry from the Federal Trade Commission (FTC) is likely.
The FTC protects customers and clients from unfair or deceptive business acts or practices. Mishandling data is a possible breach of the FTC Act. Any business that the FTC finds has mishandled data could be handed a maximum fine of US$100 million, with the arrest of culpable individuals in the most severe cases.
In addition to the FTC, several other regulatory bodies from other jurisdictions could investigate D.W. Morgan. This may include the UK’s Information Commissioners Office (ICO), the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), Japan’s Personal Information Protection Commission (PPC), and various other regulators from Asia and North America.
D.W. Morgan’s open bucket could place the company at risk of competition espionage.
In cases of competition espionage, organizations or entities with a corporate interest in the bucket may purchase its contents from a hacker or cybercriminal. These entities could be rival businesses of D.W. Morgan, such as competitors in the logistics/supply chain management industry, or marketing firms that could make use of the bucket’s data.
There are clients, invoices of payment terms, details of high-security processes and more exposed on the bucket. Rival businesses or interested parties could research these files to potentially steal intellectual properties and trade secrets from D.W. Morgan.
Entities could also contact exposed D.W. Morgan clients with improved offers in attempts to steal business away from D.W. Morgan.
Status of the Data Breach
We discovered the open AWS S3 bucket on November 12th, 2021. Identifying the owner of the bucket was fairly straightforward due to references to D.W. Morgan throughout.
After discovering the bucket, the Website Planet security team sent a message to D.W. Morgan on November 12th, 2021. We sent follow-up messages to D.W. Morgan contacts on November 15th, 2021, and a D.W. Morgan representative replied on the company’s dedicated privacy email address. We disclosed the security breach to this account on the same day. On November 16th, 2021, D.W. Morgan’s bucket was secured.
D.W. Morgan replied to our responsible disclosure of this data breach quickly and acted in a professional and timely manner to secure the open bucket.
Response from D.W. Morgan:
“We’d like to thank Website Planet for the responsible disclosure of this vulnerability. This allowed us to immediately take the necessary actions to rectify the issue and prevent any major impact to our customers.”
Protecting Your Data
Businesses with information exposed on the bucket should take necessary steps to mitigate the threat of criminal activities.
Businesses should educate employees about the threat of phishing, malware, scams, and other forms of cybercrime. Employees should be wary of any person asking for personal details or information about the business’s operations. Employees should avoid giving information to any person claiming to represent a customer or employee unless that person can prove their identity. In addition, exposed companies could implement systems that allow employees to authenticate themselves when contacting one another via phone or email.
D.W. Morgan could consider implementing changes to its exposed procedures and delivery times to mitigate the threat of theft. The company should also closely monitor any pending shipments exposed on the bucket in preparation for potential theft attempts.
Every organization should check the status of its databases at regular intervals to make sure they are secure.
How and Why We Report on Data Breaches
We want to help our readers stay safe when using any website or online product.
Unfortunately, most data breaches are never discovered or reported by the companies responsible. So, we decided to do the work and find the vulnerabilities putting people at risk.
We follow the principles of ethical hacking and stay within the law. We only investigate open, unprotected databases that we find randomly, and we never target specific companies.
By reporting these leaks, we hope to make the internet safer for everyone.
What is Website Planet?
Website Planet is the number one resource for web designers, digital marketers, developers, and businesses with an online presence. You’ll find tools and resources for everyone, from beginners to experts — and honesty is our top priority.
We have an experienced team of ethical security research experts who uncover and disclose serious data leaks as part of a free service for the online community at large. This has included a breach in a medical AI platform, as well as a breach in a French real estate agency exposing sensitive data.