In January 2014, Coca-Cola disclosed something quietly damaging about its own disposal process. For roughly six years, the employee responsible for retiring old laptops had simply walked off with them. Fifty-five devices, carrying personal information on about 74,000 people, had accumulated in one person's possession because nobody had wired up the chain between "retired from service" and "destroyed." This is the kind of breach that does not come from a sophisticated attack. It comes from a quiet phase in the asset lifecycle that nobody owns.
What actually happened
Coca-Cola revealed that an employee tasked with disposing of old equipment at the company's Atlanta offices had been removing devices over a period of around six years. The laptops were recovered late in 2013 — only then did the company audit what had been on them. The personal information of roughly 74,000 people was exposed: employees, former employees, contractors and suppliers across North America, including individuals inherited from a bottling company Coca-Cola had acquired in 2010.
About 18,000 of those records included Social Security numbers. The rest covered names, home addresses, financial-compensation details and ethnicity. Company policy required these laptops to be encrypted. They were not. A class-action suit followed within months. The reputational cost was the slow, public realisation that one of the largest consumer brands in the world had no idea what was sitting in its own disposal pipeline.
Two failures, compounding
The first failure is the obvious one. The retired devices were unencrypted, so the data was readable the moment a laptop was opened. That undermines the standard defence — "they would have had to crack the encryption to get to anything" — which is what makes the breach as bad as it was.
The second failure is the structural one and the more important. There was no chain of custody between "retired from active use" and "destroyed." Devices left service and entered a black hole that one person controlled. No inventory. No tracking. No verification step. Whoever sat in that role, with that visibility, could divert devices indefinitely. And for six years, somebody did.
The forgotten phase of asset lifecycle
Most data-disposal failures happen in this exact phase: a device is no longer in active use, but has not yet been destroyed. It sits in a cupboard, on a trolley, in a basement room, in someone's office — still full of data, waiting. The longer the wait, the higher the risk. Devices accumulate. Inventories drift. Whoever is responsible for the disposal pipeline ends up with sole visibility into what is supposed to be in it.
Compliance teams instinctively focus on the data while it is in active production — the security controls around live systems, the access logs, the encryption at rest. Asset lifecycle gets less attention because nothing is "happening" to retired equipment. But that is precisely when devices are most vulnerable: nobody is using them, nobody is logging them, and the person who should be destroying them has unsupervised custody.
What same-day, on-site destruction actually solves
The Coca-Cola breach happened across six years because the gap between retirement and destruction was a six-year gap. Collapse the gap to zero and the breach becomes structurally impossible. Same-day, on-site destruction is exactly that mechanism: the device is retired from service and destroyed in a single visit, in the same building, with a serial-numbered certificate issued before the destruction unit leaves.
There is no period during which devices accumulate. There is no cupboard for them to pile up in. There is no single person whose calendar controls when destruction "eventually" happens. The destruction event and the retirement event are the same event. For Luxembourg organisations handling personal data under GDPR — particularly under Articles 17, 28 and 32 — this is the configuration that makes the lifecycle defensible to a regulator.
What Luxembourg businesses should change today
If you have a stack of retired laptops, drives or phones currently sitting in a storage room awaiting "the next clear-out," you are running the same risk Coca-Cola did. Three concrete moves:
- Audit what is in the disposal pipeline right now. Itemise it. Who has visibility? Who has custody? What is on each device? If you cannot answer, the pipeline is uncontrolled by definition.
- Stop accumulating. Move to a same-day destruction model so devices retired on Monday are destroyed on Monday. Lëtzclean Data brings the destruction unit to your premises in Luxembourg, witnessed by your team, with the certificate issued before we leave. See the practical procedure in our GDPR data-destruction obligations guide.
- Require an itemised certificate of destruction per asset. A blanket "30 laptops destroyed" certificate cannot prove a specific machine was actually destroyed. Each asset must appear by serial number. This is the document that protects you from the failure mode Coca-Cola walked into — somebody quietly diverting devices and you having no way to detect it.
For a related case where the failure was at the contractor end rather than the insider end, see the NHS Brighton hospital drives breach — different failure mode, same missing artefact: the itemised certificate of destruction.
Close the retirement-to-destruction gap.
Same-day, on-site destruction at your premises in Luxembourg. Devices retire and are destroyed in a single visit, with a serial-numbered certificate before we leave. Tell us what is in your disposal pipeline and we will quote within 24 hours.