Coca-Cola has successfully protected the company’s world-famous century-old secret formula for over 125 years. Unfortunately, last week the company announced that it wasn’t so successful in protecting employee information, and had suffered a data breach. But this breach didn’t involve hackers or malware like the recent massive Target breach.
A spokesperson for the company announced that 50 plus laptops were stolen over the course of about six years by an as-yet-to-be-identified employee who is said to have been responsible for equipment disposal. The data theft compromised the personal information of as many as 74,000 Coca-Cola employees. The investigation has revealed that some of the data belonged to a bottling company that was acquired by Coke in 2010.
A major part of the problem was a disregard of the Atlanta-based Coca-Cola’s corporate policies concerning encryption. According to Larry Ponemon, chairman of the Ponemon Institute, the Coke incident is not unique. Ponemon estimates that more than half of Fortune 1,000 firms experience an annual breach of 1,000 to 100,000 user data confidential records including those of employees. When information is not stored in an encrypted format, data can be easily viewed. Apparently, the data on the laptops were not encrypted in violation of Coca-Cola’s policies.
This is not Coke's first issue with information security. In March of 2009, company employees were quietly approached by the FBI about a breach into Coke's computer system that included sensitive files about Coke's attempted $2.4 billion acquisition of China Huiyuan Juice Group. Although Coke has not acknowledged this breach, the details are based on information from three people familiar with the situation along with an internal company document describing the cyber breach. The Huiyuan deal, had it been successful, would have been the largest foreign takeover of a Chinese company at the time. The deal collapsed three days after the FBI involvement.
Where is your company’s data?
We don’t often hear about breaches that don’t involve typical hacking-type activity, but as the Coke breach illustrates, there are other ways that breaches can occur. This breach should have IT security personnel thinking about things that probably don’t normally cross their mind:
- How are our computers secured?
- Who has sensitive data and is it encrypted?
- Do we dispose of computers in a secure manner so that any personal information is wiped from the hard drive?
These aren’t commonly discussed topics, but as the Coca-Cola breach points out, they probably should be.
