What feds can learn from Coca-Cola's data breach

Coca-Cola is the latest corporate victim in a string of high-profile data breaches, but unlike the malware-assisted attacks that compromised millions of Nieman Marcus and Target customers' private information, the beverage giant's plight has some clear lessons for federal agencies.

Coca-Cola's breach, first reported Jan. 24 by the Wall Street Journal, involved a former employee stealing company laptops containing the unencrypted personal information of about 74,000 people.

Personal information removed from the company's Atlanta headquarters included the names, Social Security numbers, addresses, financial compensation, ethnicities, credit card and other information linked to employees, suppliers and contractors, forcing the company into damage-control mode.

In a statement, Coca-Cola said the laptops were later recovered and there was "no indication" that personal information was misused. However, the company notified the employees and offered them one year's worth of identify-theft protection services at no charge.

The government can learn three major lessons in mobile security from Coca-Cola's data breach, according Tony Busseri, CEO of Route1, a digital security and identity management company that works with the departments of Defense, Homeland Security and Energy.

• "The terminated employee's rights and privileges should have been shut down the moment he was terminated, and it would seem on the surface that it didn't happen," Busseri said. "These are simple protocols we should keep in mind supporting mobility."
  
  A Coca-Cola spokesperson identified the former employee who stole the laptops as someone whose job was to maintain or dispose of equipment. The spokesperson did not specify whether the individual was an employee when the laptops were stolen. Either way, Busseri said, an employee should not have either the physical capability to walk out of headquarters with laptops full of information or the network privileges to access the data.
  
  "Some systems in larger corporate America don't talk amongst each other well, and there can be a failure somewhere along the line," Busseri said. "All it takes is one."



• "Why was information of that sensitivity level beyond the firewall of the enterprise, and why wasn't it encrypted?" Busseri asked.
  
  According to Coca-Cola, the company's policy is to encrypt all laptops, but these laptops were not so protected. In a memo the company sent to employees, Coca-Cola did not explain why the stolen laptops were not encrypted.
  
  It is possible the laptop had a VPN connection and unencrypted data was inadvertently saved to the local drive, but the fact remains that the company's mobility policy ultimately failed.
  
  "If your solution supporting mobility is one where there is a risk that information could go out of your network, the policy is not good enough. Anytime you extract something beyond the firewall, it is at risk," Busseri said. This was a case, he said, of "data going with the device."
  
  This has happened in government before, with perhaps the most egregious case coming in 2006 when a Department of Veterans Affairs analyst's stolen laptop and external drive exposed the personal information of 26 million veterans. The VA data was also unencrypted, and ultimately cost taxpayers millions of dollars while seriously damaging the agency's reputation.



• Lastly, Busseri said, the terminated employee should not have been able to log into the laptops in the first place. Why wasn't there at least a password protecting the unencrypted, sensitive data on them? Why were they just lying around? "This individual got a laptop, but how did he get onto it?" Busseri asked. "Was there not even a single level of authentication on it?"

When data breaches occur, Busseri said, corporate America's response is often to implement more employee training and policy updates. He said more effective remedies involve common sense approaches to mobility policies, especially regarding unhinged or upset insiders.

In the arena of mobile security, Busseri said the public sector is far ahead of the private sector, but the lessons still apply.

"Organizations need to do a better job of terminating employees, terminating rights and privileges immediately and ensuring the systems communicate properly," he said. "Second, you should be using remote access solutions that make sure data doesn't leave. What's happened with Coca-Cola is a great proxy in the challenges government is facing. The workforce is mobile and wants to use its own devices. The government needs to extend up that mobility without increasing the security profile."