Coca-Cola has admitted falling prey to a bizarre slow-motion data breach in which an employee apparently stole dozens of laptops over several years containing the sensitive data of 74,000 people without anyone noticing.
The unnamed former worker, said to have been in charge of equipment disposal, reportedly removed a total of 55 laptops over a six-year period from its Atlanta offices, including some that belonged to a bottling company acquired by the fizzy-drinks giant in 2010.
Only after recovering these during November and December did Coca-Cola realise that they contained 18,000 personal records that included social security numbers plus a further 56,000 covering other types of sensitive data. All but a few thousand were Coca-Cola employees or otherwise connected to the firm.
None of the records were encrypted in line with the firm’s security policy, the company told employees in a memo seen by the Wall Street Journal. Affected individuals were being contacted.
“To expedite the process, we brought in extra crews that worked long hours, including throughout the holiday period and on weekends,” the memo reportedly said by way of explaining the delay between discovering the issue in December and the company telling the world on 24 January.
The mystery of how the laptops disappeared is almost as strange as the fact that they later reappeared, allowing the breach to be characterised as temporary.
“Organisations need to be sure they have a firm grasp on their data, know where and when it has been copied or transferred, and ensure that techniques such as encryption are in place in case it falls into the wrong hands,” said Chris McIntosh, CEO of security firm ViaSat UK.
Then again, the failure here appears to be as much about physical security and processes surrounding equipment disposal as the fact it wasn’t encrypted.