Coca-Cola and its bottling partner, Coca-Cola Europacific Partners (CCEP), are grappling with cyberattack claims from two distinct hacking groups, Everest and Gehenna. The Everest ransomware group has announced that it breached Coca-Cola’s systems, claiming to have access to sensitive internal documents and personal information of 959 employees. These claims have been substantiated by screenshots shared on their dark web leak site, indicating that the breach may specifically impact Coca-Cola’s operations in the Middle East, particularly its Dubai office at the Dubai Airport Free Zone.
Among the leaked information are visa and passport scans, salary data, and other human resources-related records. Agnidipta Sarkar, Vice President of CISO Advisory at ColorTokens, commented on the situation, noting that if the attack is genuine, it raises questions about the effectiveness of Coca-Cola’s cybersecurity investments. He indicated that initial research suggests the attackers employed tactics such as credential harvesting and targeting Active Directory.
In a separate but related incident, Gehenna has claimed to have breached CCEP’s Salesforce dashboard, reportedly exfiltrating over 23 million records containing sensitive customer relationship management data. This data includes approximately 7.5 million Salesforce account records, 9.5 million customer service cases, and numerous product records dating back to 2016. Gehenna has shared samples of the data on a public data breach forum, demonstrating the seriousness of their claims.
Both threat groups are leveraging contrasting tactics—ransomware extortion by Everest and data leak-based pressure by Gehenna—while targeting large corporations like Coca-Cola that manage extensive customer and employee data. Industry experts, including John Bambenek, President of Bambenek Consulting, emphasize the increasing risks associated with cloud platforms, suggesting that organizations need to enhance security visibility and detection methods to mitigate these threats. As Coca-Cola and CCEP move forward, no public confirmation of the breaches has been made at this time.