TL;DR: Two Coca-Cola-related leaks exposed employee identity records, passport data, banking details, and a separate Salesforce dataset totaling 64 gigabytes, according to Gurucul. The pattern is not just breach volume, but how personal, customer, and operational data can be exposed when access, storage, and third-party governance are not tightly controlled.
NHIMG editorial — based on content published by Gurucul covering the Coca-Cola Gulf and Coca-Cola Europacific Partners data leaks: Cyber Threat Intelligence Report: Coco-Cola Gulf & CCEP Data Leak
By the numbers:
- The Coca-Cola Europacific Partners breach involved 64 gigabytes of data, including 23 million records between 2016 and 2025.
- The Coca-Cola Gulf leak reportedly exposed data from 959 employees, including names, passport numbers, addresses and banking details.
- CCEP said the compromised Salesforce data included 6 GB of accounts, 52 GB of cases, 5 GB of contacts and 300 MB of products.
Questions worth separating out
Q: What breaks when employee identity data and CRM records are exposed together?
A: The breach stops being a single-data-set problem and becomes an impersonation, fraud, and privilege abuse problem.
Q: Why do cloud CRM platforms create outsized breach risk?
A: They concentrate business relationships, support activity, and structured identity data in one place, which makes them valuable targets.
Q: What do security teams get wrong about leaked personal data?
A: They often treat it as a one-time privacy issue instead of an ongoing identity abuse problem.
Practitioner guidance
- Map identity-linked data stores first Inventory systems that contain passports, payroll data, banking details, residency records, customer cases, and account metadata, then assign a named data owner and access reviewer to each store.
- Tighten third-party access paths Review distributor, support, and contractor access to CRM and HR-adjacent systems, remove broad standing access, and validate that offboarding actually revokes entitlement across every connected environment.
- Separate CRM convenience from breach impact Reduce the number of users and integrations that can export large Salesforce datasets, and segment support-case data from identity and financial records wherever business processes allow.
What's in the full article
Gurucul's full blog covers the operational detail this post intentionally leaves for the source:
- Screenshot-level detail on the allegedly exposed Salesforce objects, including accounts, cases, contacts, and products.
- The breach narrative around the Gulf Coca-Cola employee leak, including the categories of personal data reportedly exposed.
- The article's own breakdown of why Salesforce dashboards are sensitive repositories in enterprise environments.
- Threat-actor claims, dark web posting context, and the specific leak-site framing described in the source.
👉 Read Gurucul's analysis of the Coca-Cola Gulf and CCEP data leaks →
Coca-Cola leaks and Salesforce exposure: what IAM teams should notice?
Explore further
Identity-linked data has become a breach amplifier, not just a privacy issue. When employee passports, residency records, banking details, and CRM objects sit close together, one compromise produces multiple abuse paths. That means identity governance and data governance can no longer be treated as separate programmes. Practitioners should treat identity-linked records as high-risk assets with separate access, retention, and review requirements.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months.
A question worth separating out:
Q: Who is accountable when third-party access exposes sensitive records?
A: The organisation that owns the data and the systems remains accountable, even when external partners or distributors are involved. Governance should define who approves access, who reviews it, and who confirms revocation when the relationship ends. Without that ownership, third-party access becomes a persistent exposure rather than a controlled business dependency.
👉 Read our full editorial: Coca-Cola data leaks expose how identity sprawl fuels breach impact