Coca-Cola Laptop Breach A Common Failure Of Encryption, Security Basics

Coca-Cola is notifying employees, contractors and people associated with its suppliers following a data breach at its Atlanta headquarters that resulted in the theft of laptops and information exposure on at least 74,000 people.

The laptops, which have been recovered, were stolen by a former employee, according to the Wall Street Journal, which first reported the security incident Monday. A Coca-Cola spokesperson did not return repeated requests from CRN for a comment on Monday. Coca-Cola told the newspaper that the laptop was not encrypted and contained the names, Social Security numbers and addresses of the individuals and included other details, such as driver's license numbers, compensation and ethnicity.

The firm said the laptops were stolen by an employee who was assigned to properly dispose of the equipment. The newspaper reported that Coca-Cola is sending out notification letters to 18,000 people whose names and Social Security numbers were found on the laptops as well as 56,000 people who had other personal information potentially exposed.

[Related: Top 10 Security Breaches Of 2013 ]

Coca-Cola said its security policy requires laptop encryption. Lost and stolen laptops containing corporate data is a common occurrence, security experts in the channel told CRN. The latest breach highlights a failure of some basic security policies followed by a lack of security technology that has long been available to enterprises. Laptop encryption and user provisioning policies to remove access privileges from terminated employees may have prevented the issue, they say. Meanwhile, network monitoring may have detected and contained the problem before the data on tens of thousands of people was exposed.

The issue of monitoring the proper disposal of equipment is sometimes difficult to oversee, but procedures should have been in place to wipe the data before it was handed over for disposal, said Michael Aquino, director of cloud services at Cetan Corp. Aquino said the increased use of cloud-based services, combined with more workers using personally owned smartphones, tablets and laptops, have heightened the issue of how to properly address lost or stolen devices.

"You can wipe a phone or tablet clean with almost any kind of software, but a laptop becomes a thorny issue when you try to build in wiping and lock-out capabilities," Aquino said. "If you established a policy that freezes people out of their laptops after a certain period, you'd have way too many help desk requests and that can be extremely costly for IT and business productivity."

Aquino and other experts said the Coca-Cola breach may have been the result of a breakdown of its corporate policies. The Wall Street Journal reported that the company has been integrating its North American business that it acquired in 2010 for $12.3 billion

Enterprises have been increasingly deploying full-disk encryption on laptops for a specific core group of employees who work with sensitive data, say solution providers. Projects are time consuming and involve both deploying encryption itself and having mechanisms in place to enforce policies, said Arthur Hedge, CEO of information security consultancy, Castle Ventures. Adding the integration of a recently acquired business will further complicate matters. "In order for encryption to be 100 percent effective, you have to have a methodology to enforce policies and determine whether a laptop or other device meets the requirements to connect to the network," Hedge said. "There's no easy way to make it all work effectively."

The issue comes down to businesses increasingly being overburdened by employees' use of mobility, cloud-based services and the complexity of supporting them, said Tony Busseri, CEO of Route1 Inc., a maker of an identity management platform that integrates MobiKey hardware authentication tokens into corporate environments. The added complexity breeds weaknesses that can be taken advantage of by a rogue employee or an external hacker, Busseri said.

"In many cases, there are too many different technologies pieced together that don't interface together," Busseri said. "We're talking about a patchwork of solutions at many organizations that don't talk together."

PUBLISHED JAN. 27, 2014