Was FedEx Hacked?

By | March 11, 2016

Fedex 767

If you’ve shipped packages with FedEx over the last 72 hours, you likely had problems getting your shipment delivered on time. FedEx blames the delays on bad weather in their Memphis hub and a resulting failure of their tracking system, caused by the bad weather. I myself had that explanation given to me by Customer Service Representatives, Supervisors in call centers and Tracing Specialists trying to find packages destined for me that did not arrive on time. FedEx’s Media Relations department was contacted for a comment on this situation Friday morning but has not responded.

For a company as technologically advanced and aware of their often mission-critical role to their customers, the excuse about weather making their tracking system fail just doesn’t seem legitimate.

Screengrab of message on FedEx.com Friday, March 11, 2016

I live in the Midwest and know Spring storms can raise havoc with airport operations, and although FedEx claims the problems that caused the delays at their Memphis hub lasted for three days and was the subject of a story in the Memphis Commercial Appeal newspaper, I’ll grant that it is indeed possible, although highly improbable, that a three day weather situation could have affected getting a large number of planes in and out of Memphis. But could the same situation have caused three days of data outages?

The “company line” from FedEx is that the storms in Memphis knocked out the company’s computerized tracking system and made it impossible to track packages, tell where the parcels were at any given time, or estimate delivery times. That makes the assumption that the only place FedEx can process this data is at its Memphis facility.

But that in fact doesn’t seem to be the case. In 2011, FedEx opened a data center in Colorado Springs, Colorado that, by 2013, was intended to be the company’s primary data processing facility. This article from the Colorado Springs Gazette newspaper written when the facility opened confirms that fact and goes into great detail about how the center will operate “the company’s package-tracking, billing, aviation planning, and other systems.” The article even quotes a FedEx executive raving about everything that will be done at the facility

“This facility in the long term will replace (the data center portion of) our corporate technology center in Memphis,” said Rob Carter, chief information officer of FedEx; Carter began his career with the package shipping giant 18 years ago in its software development operation that shares a campus with the new data center.

“This will become our primary data center and will represent 40 percent of our overall computing capacity,” Carter said. “We have made a significant investment this facility. It will be one of our largest data centers for years to come.”

So FedEx claimed at the time that package tracking, the very system that wasn’t operational for over two days, would be housed in Colorado Springs, approximately 852 miles from Memphis. It’s hard to fathom that with today’s standard data center redundancies and even the most bare-bones crisis management plan that the weather in Memphis somehow prevented a handoff of the package tracking operations to Colorado Springs.

FedEx operates an extensive private wireless network to transmit data, including tracking information, and while it is possible that weather in Memphis might have affected the operation of that network, it’s still hard to believe that backup systems were not in place in the case of the emergency that the company is blaming all of these problems on. It is 2016, after all.

FedEx is certainly aware of the importance of keeping their systems up and running. They even wrote about it in their 2015 Annual Report.

We rely heavily on information and technology to operate our transportation and business networks, and any cybersecurity incident or other disruption to our technology infrastructure could result in the loss of critical confidential information or adversely impact our reputation, business or results of operations. Our ability to attract and retain customers and to compete effectively depends in part upon the sophistication and reliability of our technology network, including our ability to provide features of service that are important to our customers and to protect our confidential business information and the information provided by our customers. We are subject to risks imposed by cybersecurity incidents, which can range from uncoordinated individual attempts to gain unauthorized access to our information technology systems, to sophisticated and targeted measures directed at us and our systems, customers or service providers. Additionally, risks such as code anomalies, “Acts of God,” transitional challenges in migrating operating company functionality to our FedEx enterprise automation platform, data leakage and human error, pose a direct threat to our products, services and data. Any disruption to our complex, global technology infrastructure, including those impacting our computer systems and fedex.com, could result in the loss of confidential business or customer information, adversely impact our customer service, volumes and revenues or could lead to litigation or investigations, resulting in significant costs. These types of adverse impacts could also occur in the event the confidentiality, integrity or availability of company and customer information was compromised due to a data loss by FedEx or a trusted third party. While we have invested and continue to invest in technology security initiatives, information technology risk management and disaster recovery plans, these measures cannot fully insulate us from cybersecurity incidents, technology disruptions or data loss, which could adversely impact our competitiveness and results of operations. Additionally, the cost and operational consequences of implementing further data or system protection measures could be significant.

So was FedEx hacked? Do “bad guys” have information about customer accounts, including names, addresses, and credit card numbers? Does someone know what packages have been shipped from one company to another or to different locations within the same company and what reference codes might divulge what is in those packages? Is someone who shouldn’t be aware of what highly valuable packages are in the FedEx system and are sitting on a loading dock somewhere? We may never know, and if we do ever find out, it could be months from now. Different states have different laws about how soon a data breach has to be disclosed, and, going back to that Annual Report quoted above, FedEx doesn’t want any bad publicity:

Our businesses depend on our strong reputation and the value of the FedEx brand. The FedEx brand name symbolizes high-quality service, reliability and speed. FedEx is one of the most widely recognized, trusted and respected brands in the world, and the FedEx brand is one of our most important and valuable assets. In addition, we have a strong reputation among customers and the general public for high standards of social and environmental responsibility and corporate governance and ethics. The FedEx brand name and our corporate reputation are powerful sales and marketing tools, and we devote significant resources to promoting and protecting them. Adverse publicity (whether or not justified) relating to activities by our employees, contractors or agents, such as customer service mishaps or noncompliance with laws, could tarnish our reputation and reduce the value of our brand. With the increase in the use of social media outlets such as YouTube and Twitter, adverse publicity can be disseminated quickly and broadly, making it increasingly difficult for us to defend against. Damage to our reputation and loss of brand equity could reduce demand for our services and thus have an adverse effect on our financial condition, liquidity and results of operations, as well as require additional resources to rebuild our reputation and restore the value of our brand.

Sometimes guarding the brand is more important than telling the truth.

This article originally appeared on Medium.