Two hacking groups have claimed responsibility for cyberattacks targeting Coca-Cola, with one alleging the theft of over 23 million records.
Cyber Security News reported that in posts on dark web forums, the Everest ransomware group claims to have breached Coca-Cola’s internal systems, focusing on data linked to its Middle East operations.
Known for previous attacks on NASA and the Brazilian government, Everest reportedly exfiltrated sensitive and confidential company information. However, the credibility of the claim is uncertain, especially after the group’s own leak site was defaced in April.
In a separate incident, the Gehenna hacking group alleges it compromised Coca-Cola Europacific Partners’ Salesforce dashboard in early May. The group says it stole 23 million records spanning from 2016 to 2025, including account details, contact information, product data, and customer case files, potentially exposing vast amounts of sensitive CRM data.
Coca-Cola Europacific Partners, the beverage giant’s largest bottler across Europe and the Asia Pacific, has not confirmed the breach. The company has been heavily investing in digital transformation, a strategy that could be jeopardized by such a significant security incident.
These are not isolated events. In 2023, a Coca-Cola bottler reportedly paid $1.5 million to bad actors to prevent a data leak. In 2018, the company disclosed a breach involving data from 8,000 employees.
While neither Coca-Cola nor Coca-Cola Europacific Partners has released an official statement, security analysts caution that ransomware groups often exaggerate claims to pressure victims.
Customers and partners are urged to stay alert and monitor Coca-Cola’s official channels for updates and security guidance.
Lucrative Targets
Jamie Akhtar, CEO and Co-founder at CyberSmart, says it goes to show that no brand, no matter how global or well-resourced, is immune to today’s sophisticated cyber threats.
High-profile companies like Coca-Cola alucrative targets for financial extortion, and the reputational impact a breach can have. “Attackers understand that these organisations are under intense pressure to keep operations running and reputations intact, making them prime candidates for ransomware demands and public data exposure.
“What’s particularly concerning is Everest’s strategy of not only encrypting systems but stealing and publishing sensitive data to pressure victims into paying,” adds Akhtar. “This double-extortion method has become the norm, turning cyber attacks into long-term reputational crises rather than one-off incidents. For a consumer-facing brand, the fallout isn’t just about internal disruption but also about about broken trust. In industries where brand loyalty is key, data leaks that involve personal or operational information can have a lingering effect on customer confidence.”
Agnidipta Sarkar, Vice President CISO Advisory at ColorTokens, says: “These hackers are known to use double extortion, which means that there could be ransomware at play while they are peddling stolen information. But today’s hackers are in it for the money and not for activism, and they are not known to be consistent. What they got may be of little importance, or they could have hit pay dirt.”
Insufficient Cybersecurity Investments?
Sarkar says what is interesting to note is that their darknet site was defaced in April this year and had to go offline. “Initial research suggests that they use harvested credentials and exfiltrate Active Directory, too. However, this could be a bogus claim, too. If this is a genuine attack, I assume that existing cybersecurity investments of Coca-Cola into state-of-the-art technology were insufficient to stop this attack, and hence, the perpetrators succeeded. I am not sure we will ever know, but it would be nice to know if they had controls to anticipate, contain, and evolve their breach readiness.”
As companies adopt more SaaS solutions, it creates opportunities for ransomware actors to get their hands on sensitive data, adds John Bambenek, President at Bambenek Consulting. “Many SaaS tools don’t offer the same kinds of robust logs and security detections as IaaS vendors which means organizations can often be blind to attacks on their own data. Organizations should start thinking about how they can get logs from their SaaS applications into their SIEM and develop detections that indicate data exfiltration.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.