Citing a spokeswoman for the company, The Wall Street Journal reports that the laptops were stolen by a former employee who was responsible for the maintenance and disposal of equipment.
The company apparently recovered the stolen laptops, which were unencrypted, on December 10 but learnt shortly afterwards that information was stored on these devices, potentially compromising up to 74,000 customers. It is also worth noting that 10 credit card details were exposed in the breach, which is worrying in light of the group's compliance with PCI DSS.
“The Coca-Cola Company has sent notices to about 74,000 North America-based employees, former employees and other third parties informing them that some of their sensitive personal information was contained in documents on CCR and former CCE laptop computers that were stolen from the Company,” said the company in a statement.
“We have no indication that the information was misused. However, we understand the concerns some people may have and therefore, to demonstrate an abundance of caution, The Coca-Cola Company is offering free identity theft protection services to all affected.
“We take personal information security very seriously, and we apologise for any inconvenience this may cause.”
In response to the news, consultant Brian Honan said that the drinks giant had made a serious error in not encrypting the laptops in question.
“Serious questions have to be asked of Coca Cola as to why the affected laptops were not encrypted,” said Honan, of BH Consulting. “With the various encryption solutions available, there really is no excuse why an organisation should not have its laptops encrypted, in particular when they contain sensitive information to individuals.
“As this incident highlights, encrypting laptops and other devices not only protects sensitive information from those external to the company but also to unscrupulous insiders,” he added.
ViaSat UK CEO Chris McIntosh, meanwhile, added that this was the latest sign that even the world's biggest organisations (Coca-Cola was ranked as the world's most valuable brand for 12 years running up until 2012) are lax when it comes to data security.
“The latest data breach shows how easy it is for personal details to fall into the wrong hands and the importance of taking the right measures to protect data,” McIntosh told SCMagazineUK.com.
“Sensitive information like social security numbers, driver's licence numbers and credit-card information can offer lucrative opportunities for criminals and organisations should see this as a wake-up call. Being aware that your information is at risk and ensuring that it is properly secured is not paranoia: it is instead sensible behaviour in the information age.
“Organisations need to be sure they have a firm grasp on their data, know where and when it has been copied or transferred, and ensure that techniques such as encryption are in place in case it falls into the wrong hands.”