74,000 Data Records Breached on Stolen Coca-Cola Laptops


Related Links

Related Stories

  • Comment: May the (En)Force(ment) Be With You – Security Lessons from Star Wars
    From applying security policies to DLP and effective user authentication, there are many infosecurity lessons to be learned from the classic space opera. Terry Greer-King of Check Point shows how companies can avoid the Empire’s mistakes
  • Comment: The Missing Link from DLP
    Solutions to prevent data loss need to involve the data owners themselves, so they can take appropriate actions to remediate risks before data is leaked. Traditional DLP technologies alone cannot achieve your security and governance goals, says David Gibson of Varonis
  • The 'Perception' of DLP
    Think you can purchase the latest application and all of your data loss worries will disappear? Think again, says John Walker. To this security expert, DLP is about more than technology
  • The Truth About DLP
    Data loss prevention: the term that fills marketing managers with joy, and infosec managers with dread. Preventing a data leak may be the top priority for the IT security team, but is DLP technology mature, and cost effective enough, to be the answer? Stephen Pritchard reports
  • Lack of data loss prevention will cause businesses to fail, warns Ovum
    Low enterprise adoption of data loss prevention (DLP) technology will cause businesses to fail, the research firm cautions.

Top 5 Stories


74,000 Data Records Breached on Stolen Coca-Cola Laptops

27 January 2014

Coca-cola admitted Friday to the theft of an unspecified number of laptops containing personal information on 74,000 individuals – including, it turns out, variously social security numbers, driving license details, salaries, and ethnicity; but fewer than ten credit card numbers. Data loss prevention, it would appear, was not in operation.

In what the Office of Inadequate Security (OIS) calls a "somewhat incomplete and unsatisfactory... notification letter", Coca Cola is warning some 74,000 current and former employees and other individuals that their personal information may have been compromised. "The letter, signed by their CIO, Tom Miller, does not indicate when the laptops were stolen, how many were stolen, or the circumstances under which they were stolen. Nor does the letter disclose how many employees had data on the laptops and whether the data on the laptops were encrypted (or if not, why not)," writes OIS.

Apart from saying that Coca-Cola is arranging free credit monitoring for the victims, all the letter says about the incident is that it was discovered on December 10, 2013; that several laptops had been stolen; and that the company is "engaged with the appropriate law enforcement in this matter." Plus, of course, the company takes "very seriously the security of information on employees and other individuals," and "We deeply regret this incident occurred."

The Wall Street Journal, however, provides a bit more detail. "Coke spokeswoman Ann Moore," it reports, "said the laptops were stolen by a former employee who had been assigned to maintain or dispose of equipment. She didn't identify the person or say whether that person was an employee when the laptops were transferred."

The company claims to have now regained possession of the laptops, and says it has no evidence that any of the personal data has been misused. Nevertheless, reports WSJ, "The beverage giant told its U.S. and Canadian employees the data on the laptops, which wasn't encrypted, included names, Social Security numbers and addresses, as well as details like financial compensation and ethnicity."

In an apparent contradiction, WSJ notes, "Coke said company policy requires laptops to be encrypted, but the stolen computers hadn't yet been encrypted." However, it also implies that the laptops had reached the end of their life, still unencrypted. "The laptops had been assigned to employees who maintained such information for its human resources operation. The laptops were turned over to the former employee to dispose of or recycle [but who instead, stole them], according to Ms. Moore."

The implication is that Coca-Cola was not sufficiently monitoring personal data, nor adequately enforcing its policies – something that is not lost on the security industry. "Being aware that your information is at risk and ensuring that it is properly secured is not paranoia: it is instead sensible behavior in the information age," explains Chris McIntosh, CEO of ViaSat UK. "Organizations need to be sure they have a firm grasp on their data, know where and when it has been copied or transferred, and ensure that techniques such as encryption are in place in case it falls into the wrong hands.”

The incident is precisely of the type that should be prevented by data loss prevention technologies. Kevin Bailey, head of marketing strategy at Clearswift, explains: "This type of incident shows why a layered security approach to all endpoints is essential," he told Infosecurity. "Policy enforcement that is bypassed for security features such as encryption, needs to be overlaid via an automated data protection offering, where movement of the data from the device is controlled via DLP policies that cannot be overridden or bypassed. Advanced DLP... would not only quarantine the information if it was attempted to be extracted via a USB or other network, but would physically redact the sensitive data so the lost PC would never freely make the sensitive content visible for unintentional use."

This article is featured in:
Compliance and Policy  •  Data Loss  •  Encryption


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×