By NHI Mgmt Group Editorial TeamPublished 2025-08-19Domain: Breaches & IncidentsSource: Gurucul

TL;DR: Two Coca-Cola-related leaks exposed employee identity records, passport data, banking details, and a separate Salesforce dataset totaling 64 gigabytes, according to Gurucul. The pattern is not just breach volume, but how personal, customer, and operational data can be exposed when access, storage, and third-party governance are not tightly controlled.


At a glance

What this is: This is a breach analysis of two Coca-Cola-related data leaks that exposed employee identity records and a large Salesforce dataset.

Why it matters: It matters because identity-centric data exposure, third-party access, and cloud CRM concentration create downstream risk for IAM, IGA, PAM, and NHI governance programmes.

By the numbers:

  • The Coca-Cola Europacific Partners breach involved 64 gigabytes of data, including 23 million records between 2016 and 2025.
  • 959 employees
  • CCEP said the compromised Salesforce data included 6 GB of accounts, 52 GB of cases, 5 GB of contacts and 300 MB of products.

👉 Read Gurucul's analysis of the Coca-Cola Gulf and CCEP data leaks


Context

This breach analysis sits at the intersection of identity governance and data exposure. The issue is not only that two Coca-Cola-related environments leaked sensitive information, but that identity documents, banking records, customer cases, and CRM objects all became reachable through systems where access scope and business ownership were not sufficiently constrained.

For identity teams, the important question is how a large, distributed organisation ends up with such concentrated exposure in the first place. When employee records, partner access, and CRM data are treated as separate problems, governance breaks down across the full access chain, from user access to third-party access to the systems that store identity-linked data.

That is a typical failure pattern in large enterprises with regional operations and shared business platforms. The breach does not point to an isolated weakness so much as a broader inability to maintain clear access boundaries around high-value identity and customer data.


Key questions

Q: What breaks when employee identity data and CRM records are exposed together?

A: The breach stops being a single-data-set problem and becomes an impersonation, fraud, and privilege abuse problem. Identity documents, contact details, and account records can be combined to defeat verification workflows and target employees or customers more convincingly. The control gap is usually weak data segmentation and overly broad access to systems that mix operational and identity-sensitive information.

Q: Why do cloud CRM platforms create outsized breach risk?

A: They concentrate business relationships, support activity, and structured identity data in one place, which makes them valuable targets. If access is too broad or poorly reviewed, attackers can extract a large, reusable dataset from a single compromise. The practical issue is not only platform security, but how access is governed across teams, regions, and third parties.

Q: What do security teams get wrong about leaked personal data?

A: They often treat it as a one-time privacy issue instead of an ongoing identity abuse problem. Once passport numbers, banking details, or residency records are exposed, they can be reused for fraud, phishing, and social engineering long after the original breach is contained. Response plans need to cover downstream misuse, not just containment and notification.

Q: Who is accountable when third-party access exposes sensitive records?

A: The organisation that owns the data and the systems remains accountable, even when external partners or distributors are involved. Governance should define who approves access, who reviews it, and who confirms revocation when the relationship ends. Without that ownership, third-party access becomes a persistent exposure rather than a controlled business dependency.


Technical breakdown

How identity-linked data becomes a breach multiplier

When identity records are stored alongside operational business data, the breach impact expands well beyond a single user account. Passport numbers, residency records, bank details, and employee identifiers create a high-value dataset for phishing, account takeover, and fraud. In the CCEP case, CRM objects and customer support data added a second layer of sensitivity because the compromise was not limited to static personal data. The technical problem is concentration: one exposed repository can reveal enough information to support impersonation, social engineering, and follow-on access attempts.

Practical implication: classify identity-linked records and CRM exports as high-risk data sets, not routine business content.

Why Salesforce environments are attractive targets

Salesforce is often used as a central operational system for accounts, contacts, service cases, and product records, which makes it a rich target when authentication, session control, or API access is weak. Attackers do not need to break every surrounding system if one cloud application contains enough structured data to monetise or weaponise. The issue is compounded when access is shared across regions, support functions, or third parties, because privilege boundaries become difficult to trace and revoke. In practice, the platform becomes a data aggregation point with outsized breach impact.

Practical implication: map privileged and third-party access paths into CRM platforms and review them as part of cloud identity governance.

How ransomware and leak-site operations extend incident impact

The initial compromise is only the first stage. Once threat actors extract sensitive data, they can publish selective samples, sell databases, or use identity documents to support further fraud. Leak-site publication turns a confidentiality event into a reputational and regulatory problem because the victim must now account for data that can be copied indefinitely. In this case, the combination of employee documents and Salesforce content created multiple abuse paths. The technical issue is not just exfiltration, but durable exposure that cannot be rolled back once data is released.

Practical implication: assume published identity data will be reused, and build incident response around downstream abuse, not only containment.


Threat narrative

Attacker objective: The attacker objective was to monetise sensitive identity and CRM data through extortion, resale, and public leak pressure.

  1. Entry occurred through compromise of a high-value business data environment containing employee and CRM information, rather than through a narrowly scoped single-user record.
  2. Credential or access abuse enabled extraction of large datasets from the Salesforce environment and related employee repositories, including identity documents and support records.
  3. Impact followed through leak-site publication and potential resale, creating downstream fraud, phishing, and regulatory exposure for the affected organisations.
  • Microsoft SAS Key Breach — Overly permissive Azure SAS token exposes 38TB of Microsoft internal data including secrets and credentials.
  • Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Identity-linked data has become a breach amplifier, not just a privacy issue. When employee passports, residency records, banking details, and CRM objects sit close together, one compromise produces multiple abuse paths. That means identity governance and data governance can no longer be treated as separate programmes. Practitioners should treat identity-linked records as high-risk assets with separate access, retention, and review requirements.

Salesforce and similar cloud systems function as identity concentration points. The real risk is not the platform name but the role it plays in aggregating accounts, cases, contacts, and operational records across regions and teams. Once access becomes broad enough to support business convenience, it also becomes broad enough to support exfiltration. IAM and PAM teams need to model those systems as privilege hubs, not just SaaS applications.

Standing third-party access without tight lifecycle offboarding is a recurring failure mode in large distributed enterprises. The access model was designed for known business relationships and stable administrative boundaries. That assumption fails when regional operations, distributors, support teams, and external actors can reach the same sensitive repositories over long periods. The implication is that offboarding, entitlement review, and scope reduction must be treated as continuous controls, not annual hygiene.

Leaked identity data creates compounding operational risk after the initial incident. Passport numbers, national identity details, and banking information support fraud, phishing, and impersonation even after containment. That makes breach response an identity problem as much as a security problem. Practitioners should assume that the post-breach phase includes credential abuse, social engineering, and regulatory disclosure workstreams that last well beyond the original compromise.

Data gravity is now an identity governance issue. The larger the shared repository, the harder it is to maintain accurate ownership, least privilege, and access accountability. This is where NIST-CSF, OWASP-NHI principles for machine-accessed systems, and lifecycle governance intersect. Security teams should redesign review cadences around the systems that concentrate identity risk, not just the accounts that touch them.

From our research:

What this signals

The practical signal for identity programmes is that breach response must now account for identity reuse, not just exposure. Once employee or customer records leave the perimeter, the problem shifts into verification fraud, social engineering, and access abuse, which means IAM, fraud, and security operations need a shared incident playbook.

Identity blast radius: the more systems that combine personal data, support history, and account metadata, the harder it becomes to contain a compromise. That pushes practitioners toward tighter segmentation, stronger entitlement reviews, and shorter-lived access paths around the systems that concentrate trust.

This is also where lifecycle governance becomes measurable. If distributor, contractor, or internal support access cannot be revoked cleanly and validated quickly, the organisation is carrying hidden exposure into the next incident.


For practitioners

  • Map identity-linked data stores first Inventory systems that contain passports, payroll data, banking details, residency records, customer cases, and account metadata, then assign a named data owner and access reviewer to each store.
  • Tighten third-party access paths Review distributor, support, and contractor access to CRM and HR-adjacent systems, remove broad standing access, and validate that offboarding actually revokes entitlement across every connected environment.
  • Separate CRM convenience from breach impact Reduce the number of users and integrations that can export large Salesforce datasets, and segment support-case data from identity and financial records wherever business processes allow.
  • Plan for downstream identity abuse Assume stolen identity documents will be used for phishing, impersonation, or account takeover, and align fraud monitoring, user communications, and law enforcement escalation accordingly.

Key takeaways

  • The breach exposed how identity documents and CRM data together create a far larger abuse surface than either dataset alone.
  • The scale matters because 64 gigabytes of Salesforce data and 959 employee records can fuel fraud, phishing, and regulatory scrutiny long after containment.
  • The control lesson is to govern data concentration, third-party access, and offboarding as one identity risk problem.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-01Identity-linked data exposure reflects weak NHI inventory and access governance.
MITRE ATT&CKTA0006 , Credential Access; TA0010 , ExfiltrationThe article centres on access abuse followed by data theft and leak-site publication.
NIST CSF 2.0PR.AC-4The incident shows why least-privilege access to identity-linked systems matters.
NIST SP 800-53 Rev 5AC-6Least privilege is the key control gap when broad repository access increases breach impact.

Classify exposed identity-linked repositories and apply tighter ownership, review, and revocation controls.


Key terms

  • Identity-linked Data: Data that directly identifies a person or can be used to verify, impersonate, or profile them. In practice this includes passports, bank details, residency records, employee IDs, and customer relationship records that can support fraud or account takeover when exposed.
  • Privilege Hub: A system that concentrates access to multiple sensitive datasets, making it a breach multiplier if controls are weak. Cloud CRMs, HR platforms, and shared support environments often become privilege hubs when many teams, regions, or third parties rely on the same access layer.
  • Downstream Abuse: Secondary misuse that happens after the initial breach, such as phishing, impersonation, or fraudulent verification. Security teams should treat exposed identity data as durable risk because attackers can reuse it long after the original incident is contained.
  • Third-Party Offboarding: The process of revoking and validating access when a vendor, distributor, or contractor relationship ends or changes. Effective offboarding is not just account deletion, but confirmation that access paths, integrations, and inherited permissions have all been removed.

What's in the full article

Gurucul's full blog covers the operational detail this post intentionally leaves for the source:

  • Screenshot-level detail on the allegedly exposed Salesforce objects, including accounts, cases, contacts, and products.
  • The breach narrative around the Gulf Coca-Cola employee leak, including the categories of personal data reportedly exposed.
  • The article's own breakdown of why Salesforce dashboards are sensitive repositories in enterprise environments.
  • Threat-actor claims, dark web posting context, and the specific leak-site framing described in the source.

👉 The full Gurucul post covers the employee data categories, Salesforce exposure, and leak-site claims in more detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2025-08-19.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org