Coca-Cola Co. announced a data breach Jan. 24, adding another big name to the list of companies dealing with recent security failures.
The news may have consumers sighing with exasperation — “Another one?” — but the breach at Coke is different than the attacks confirmed by Target, Adobe and Neiman Marcus: This one went after employee data.
The company said about 74,000 past and present employees’ personal information has been compromised as a result of laptop theft, which was allegedly carried out by a former employee who was responsible for recycling and maintaining equipment, according to reports in the Wall Street Journal and other data security outlets. In a memo sent to employees, the company explained the laptops were stolen and then returned, and they held information about U.S. and Canadian employees, including names, Social Security numbers, addresses, ethnicity and compensation. The laptops were not encrypted, but the memo did not explain why.
According to the Journal, the company learned of the theft Dec. 10, but employees were just notified, because the company needed to go through the information on the recovered hardware. The fact that the information on the laptops was not encrypted makes the data much more vulnerable to abuse, but the company said it has “no indication” personal information was misused.
Different Breach, Similar Lesson
Compared to the roughly 70 million customers impacted by the Target data breach, the 74,000 Coke employees may seem insignificant, but the nature of the security lapse is worrisome to some privacy experts.
“They had the policies in place, but to me, they weren’t really living, which means they didn’t have the mechanisms to enforce those policies,” said Walter Boyd, a senior privacy adviser with Identity Theft 911 Consulting who has 12 years of experience in the industry. “Companies really need to not just kind of cover themselves … but also really have the auditing and enforcement arm.”
The potential victims in this breach — whether they still have a professional relationship with Coke or not — should take reasonable steps to make sure their information hasn’t been misused, Boyd said, like reviewing activity on their credit reports in recent months. They also have the option of setting fraud alerts on their credit profiles, which can be done for free through the major credit reporting agencies, and Coke has said it will offer free credit monitoring to victims.
What If Your Company Lost Your Info?
Maybe you’re not an affected employee in this case, and this snafu may not be a direct threat to your financial and credit health, but it serves as a reminder that data breaches are a regular occurrence — whether your employer or a retailer loses your information. In any case, maintaining good habits of monitoring your account activity and changes in credit scores allows you to more easily spot anything fishy. With identity theft, the extent of the damage often correlates to how quickly the situation is addressed.
Staying up to date on your credit profile is easy. Consumers are entitled to free copies of their annual credit reports from the major credit reporting agencies, and there are useful free tools, like Credit.com’s Credit Report Card, that allow you to monitor your credit scores. Any new, unexpected accounts on your credit reports or sudden changes in your credit scores could indicate fraud, and you’ll want to act quickly once you discover it.
If you’re concerned about how your company secures your sensitive information, Boyd said to take up the matter with a compliance department, because it’s important to have confidence in your employer’s privacy policies. In this case, employees should be concerned, Boyd said, but they should act productively on that concern by closely monitoring their credit and communicating with the company about what is being done to resolve the situation.
More from Credit.com