Coca-Cola is facing a potential class-action lawsuit after one of the people whose personal data was on one of a clutch of laptops stolen from the company says he suffered identity theft as a result of the breach.
Laptops thefts are a common occurrence for most large organisations but the circumstances surrounding the loss of 55 laptops over a six-year period from the drinks giant’s Atlanta office and a bottling firm it acquired were always puzzling.
Made public on 24 January this year, it turned out that an employee, Thomas William Rogers III, had allegedly taken the machines without their loss being realised. The machines contained the records of 74,000 people, all current or former employees, including 18,000 revealing social security numbers.
Coca-Cola eventually recovered some of the laptops in December 2013, at which point the seriousness of the breach was realised. None of the records on the laptops had been encrypted.
According to Law360, plaintiff and former bottling engineer Shane Enslin, the lost data was used by thieves to make purchases with his credit cards and to apply for others, which affected his credit rating.
The suit also notes the lack of encryption and the alleged delay of several weeks in notifying victims after the breach was discovered.
“The company that guards perhaps the best-kept secret in America, the Coke formula, failed to reasonably protect its employees from identify theft," Enslin’s lawyer Donald E. Haviland told Law360.
"As a result, the most trusted information about Mr Enslin and thousands of other Coke employees has fallen into the hands of criminals. The Enslins have been under siege ever since. This suit was brought because Coke refused to do the right thing, despite direct pleas by the Enslins,” he said.
Although a small loss when set against the size of the firm involved, the reputational damage was still embarrassing, said SafeNet vice president of cloud solutions, Jason Hart.
“This breach is likely to have ramifications for Coca-Cola’s reputation and throw its security strategy into the limelight.”
With the long-awaited EU General Data Protection Regulation nearing implementation in 2015, the case also brings into relief that enterprises be vigilant about securing not only customer data but that of their employees.