Skip to content

Coca Cola’s Stolen Laptops Exposes Gap in Process: A Need for ITAD

by on February 11, 2014

Image

Recently, Coca Cola announced that 55 laptops were stolen from their facilities.  The information contained on these laptops exposed information on over 74,000 individuals, including current and former employees as well as suppliers and vendors.  Information stolen ranges from driver’s license numbers to social security numbers.  Key highlights of the breach include knowledge that the laptops were not encrypted and the laptops were meant to be disposed of.  The person who was supposed to dispose of them was “sneaking them out the backdoor” over a time span of about six years.

Of course, my first thought when I heard about Coke losing 55 laptops was “What about the secret formula?!”  My next, more professional, thought was “How does this huge and prestigious company not have a way to make sure all their assets are actually disposed of?”

If I had to take a guess at the latter question – and I will or else this would be a short article – is that companies have yet to focus their attention on IT Asset Disposition (ITAD), and they trying to hide it under the same umbrella as IT Asset Management (ITAM).  In actuality, ITAM and ITAD address different problems, have different goals and challenges, and need to both be addressed to ensure security of sensitive data.

ITAM is tracking assets that are online, including both hardware and software.  IT Asset Management solutions give you a clear picture of all assets managed by your organization and help you make decisions about how to best utilize your assets to avoid overspending on more hardware or software licenses.  Additional metrics of hardware assets that are tracked by an ITAM solution could be health, rack space, and various asset attributes.

When a faulty hard drive is replaced or a server is decommissioned, the organization is left with an asset that has some value.  Equally important, the asset will most likely contain sensitive data.  Don’t believe me?  Refer to the first paragraph.

At this point the organization’s ITAM solution, in the traditional sense, is no longer responsible for the asset’s status, location, etc.  ITAD, however, is tracking all of the IT assets that are offline and managing them as they move through various disposition paths, such as destruction, repurposing, shipped back to a vendor, etc.  It is at this time where a lot of companies lack the management of these assets because it is not ITAM’s responsibility and they don’t have an ITAD solution.

Every organization should have standard policies and procedures for every path that an asset takes when it goes offline.  As an example, a bad hard drive must be removed from the server, degaussed, erased, grouped with other hard drives, and inventoried before handing it over to a destruction vendor.  After destruction is complete the inventory should be reconciled against the vendor’s certificate of destruction.   Tracking the location and status of these assets completes an important part of the asset’s lifecycle.  Still don’t believe me?  Refer to the first paragraph.

I think of ITAD as the bridge that connects ITAM and an asset’s final disposition destination.   A common misconception is that ITAD is just the process of destroying of the assets, but in most companies, several steps are taken before the assets are actually destroyed.  ITAD manages that process.

I’ve found that most companies lack an automated workflow for tracking assets as they move down these different paths, leaving them susceptible to losing an asset with sensitive data on it. In Coke’s case, there was clearly no method for verifying which laptops had been destroyed compared to those that were meant to be destroyed.  There was also no chain of custody so this employee’s manager had no visibility into the destruction process.  If there was visibility, there may have been a step for degaussing the laptops before destruction.  Furthermore, they trusted one person to be responsible for the disposal of these laptops with no audit trail to review.

There are many points that people could take away from the Coke case such as, why wasn’t the laptop’s data even erased?  In my opinion, what needs to be taken away from this example is that companies need to focus on what happens after assets go offline, and have procedures and controls in place to manage the disposition process.  There is significant risk associated with losing laptops or hard drives or USB drives.  In Coke’s case, they have exposed personal information, their company’s reputation is now tarnished, and they are setting themselves up to fines and litigation (I’m sure not the current employees but definitely the former ones!).

From → General

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: