Coca-Cola and bottling partner named in separate ransomware attacks

The drink company is facing two separate cyberattack claims. 

What happened

Two malicious organizations have targeted Coca-Cola and its bottling partner, Coca-Cola Europacific Partners (CCEP). 

The ransomware group named Everest listed Coca-Cola as a victim on its dark web leak site, including screenshots that allegedly come from internal documents of employees. Data included personal information of 959 employees, such as visa and passport scans, salary data, and other HR-related records. Some personally identifiable information (PII) may also be involved. 

For CCEP, the hack group Gehenna claimed to have breached their Salesforce dashboard earlier in May. The group alleged they exfiltrated more than 23 million records, some from as far back as 2016. 

The data allegedly contained sensitive customer relationship management (CRM) data. Gehenna claimed to have accessed 7.5 million Salesforce account records, 9.5 million customer service cases, 6 million contract entries, and over 400,000 product records. Samples of the data were shared on a public data breach form. 

What’s next

Currently, Coca-Cola and CCEP have not publicly commented on the incident. On the public data forum Gehenna first listed the breach, the group posted a message to CCEP employees. The group claimed to be open to negotiating and also warned that they “have more where that came from.” The group provided Telegram contact information and appeared to be actively soliciting a response from CCEP. 

Everest has not been as public with their demands, but as a ransomware organization, it’s likely that they are also aiming to extort Coca-Cola. 

The big picture

Although the attacks were separate, their coincidental timing could create increased difficulties for Coca-Cola and CCEP, who may experience financial or operational challenges stemming from these attacks. Since these companies work closely together, it may create more delays to their standard operating procedures. On top of that, it’s possible that some individuals were impacted by both breaches, meaning more of their data may be available on the dark web.  

FAQs

Could there be any connection between the attacks? 

Currently, there is no reason to suggest that the attacks are related. Little is known about the Gehenna ransomware group. Everest was first discovered in 2021 and has gone through multiple iterations, leaving the possibility of collaboration. For now, the incidents are being handled separately. 

Why would hackers target Coca-Cola and CCEP?

The breaches resulted in sensitive employee information (from Coca-Cola) and customer information (from CCEP) being accessed. Certain information, like personally identifiable information, contact information, or banking information, can be valuable on the dark web.