Stolen laptops had Coke workers' personal info

Data on at least 74K current and former employees may have been compromised


Jan. 25--Personal information about at least 74,000 current and former Coca-Cola employees may have been compromised after company laptops were stolen, the beverage giant said Friday.

Social Security numbers for about 18,000 employees, former workers, contractors and vendors in the United States and Canada were on computers recovered from an ex-employee whose job was to maintain or dispose of company equipment, Coke said.

In addition, driver's licenses and other personal information for another 56,000 people also was exposed, Coca-Cola said.

While Coke said there is no indication the information has been misused, the potential data loss is the latest in a string of security breaches across corporate America that experts say are becoming increasingly common. The growing digitization of huge amounts of data has become catnip to thieves.

The breaches range from the recent theft of credit and debit information this past holiday season at such large retailers as Target and Neiman Marcus to reports of cyber attacks on business giants ranging from Apple to the New York Times to Coca-Cola itself.

But experts say not all breaches are alike.

"These type of situations -- while disconcerting -- shouldn't really worry most employees," said Jeremiah Grossman, the chief technology officer of Web-application security firm WhiteHat Security. "If the hardware is lost, or if it was stolen, left at the airport, generally in these cases the bad guys isn't after the data, they are after the hardware.

"There is nothing [for affected employees] to do... But it's not something that you lose sleep over," Grossman said.

Coca-Cola said it discovered the theft in December, but did not give details on how many laptops were stolen or when they were taken, or if the former worker was employed by the company at the time of the incident. The company also didn't say if the employee has been charged with any crime.

"We cannot comment as it is an ongoing (police) investigation," spokeswoman Ann Moore said.

Each state has a different requirement for when a company must inform people of a potential information breach, said John M. Simpson, director of Consumer Watchdog's privacy project. If a criminal investigation is opened, companies can stay mum for longer in many states.

Coca-Cola said it will offer everyone affected free identity theft protection for one year. The information, which was found on Coca-Cola Refreshments and former Coca-Cola Enterprises laptops, also included information on pay, ethnicity and addresses.

After discovering the breach, the company began reviewing files and documents on the recovered computers, bringing in extra staff to hasten the process, Moore said. She added the company told the people affected within the time period required by law.

"There was an extensive number of files that we had to go through," she said.

David Barton, managing director of the accounting and consulting firm UHY, said the exposure of people's identities and information now is "just a fact of life."

"I don't know very many people who have not been a victim of identity theft or identity fraud," Barton said. "It's just a part of modern life."

While all devices that have company information should be encrypted, Barton said, it's rare that smart phones and tablets have that level of security. The stolen Coca-Cola laptops were unencrypted.

"Most companies are behind the ball," he said.

Simpson, with Consumer Watchdog, said the problem is often lax security policies, or good security policies that are not followed.

Though many people who take computers are more interested in selling the devices than whatever might be on them, someone in the know would make use of whatever information was available, in addition to the computer itself, said JD Sherry, vice president of technology and solutions at cloud security company Trend Micro.

"A criminal is a criminal," Sherry said. "If he knows what's on those laptops, he could very easily sell it to a criminal group. ... (the data) is another thing he could sell."

This content continues onto the next page...