Soft drinks giant Coca-Cola has announced it suffered a data breach in September 2017 that compromised the personal data of 8000 workers. The company discovered the breach after it was notified by law enforcement officials that a former employee at a Coca-Cola subsidiary was found in possession of an external hard drive that contained some employees' personal data which appeared to have been misappropriated from Coca-Cola.
The company said it did not immediately disclose the incident at the request of authorities investigating the breach.
"Our investigation identified documents containing certain personal information for Coca-employees and other individuals that was contained in the data held by the former employee," the company said in notification letters sent to affected employees.
Coca-Cola said certain personally identifiable information (PII) was compromised in the breach, but noted they currently do not have any information suggesting the misappropriated data was used to commit identity theft. The company did not specify what information was compromised in the breach.
A company spokesman said about 8000 workers were affected by the security breach.
"We are issuing data breach notices to about 8,000 individuals whose personal information was included in computer files that a former employee took with him when he left the company," the spokesperson told Bleeping Computer. "We take information security very seriously and we sympathize with everyone whose information may have been exposed. We regret any inconvenience or concern this may be causing them."
Affected employees are being offered free identity monitoring for a year.
This isn't the first time Coca-Cola has suffered a data breach. Back in 2014, Coca-Cola warned around 74,000 current and former employees and other individuals that their personal information may have been compromised after several laptops containing unencrypted data were stolen from its Atlanta headquarters. The laptops were stolen by a former employee who was assigned to maintain or dispose of the equipment.
In that incident, the compromised data included names, Social Security numbers, addresses, ethnicity, credit card data, financial data and other information linked to employees, suppliers and contractors.