Recent reports reveal that Coca-Cola and its bottling partner, Coca-Cola Europacific Partners (CCEP), are both under siege from distinct cyber threats. The Everest ransomware group has claimed responsibility for breaching Coca-Cola’s systems, while another group, Gehenna (also known as GHNA), alleges it has compromised significant data from CCEP’s Salesforce environment.
Everest Ransomware Targets Coca-Cola
Everest has publicly identified Coca-Cola as a victim on its dark web leak site, disseminating screenshots that purportedly show access to sensitive internal documents, including personal data of 959 employees. This data reportedly encompasses scans of visas and passports, salary information, and various HR-related records.
Initial analyses, as reported by Hackread, suggest the breach predominantly affects Coca-Cola’s operations in the Middle East, with indications that the Dubai office at the Dubai Airport Free Zone may have been specifically targeted. The leaked materials include crucial employee identification details and documents prevalent in HR departments, suggesting the potential exposure of personally identifiable information (PII).
Cybersecurity expert Mr. Agnidipta Sarkar, Vice President of CISO Advisory at ColorTokens, commented on the attack tactics, indicating that initial evidence points towards credential harvesting and targeting of Active Directory systems. If these claims are verified, they could imply that Coca-Cola’s previous cybersecurity investments may not have been sufficient to thwart such an incident.
Gehenna Alleges Major Breach at Coca-Cola Europacific Partners
In a separate breach, the Gehenna hacking group claims to have infiltrated CCEP’s Salesforce dashboard earlier this month, exfiltrating an astonishing 23 million records that date back to 2016. The alleged theft includes a treasure trove of sensitive customer relationship management (CRM) data.
The stolen data purportedly comprises 7.5 million Salesforce account records, 9.5 million customer service cases, 6 million contact entries, and over 400,000 product records, amounting to significant volumes of data. Gehenna showcased some samples on a public data breach forum, which included logs referencing Coca-Cola Enterprises Norway, encapsulating customer support histories alongside contact details.
These two incidents occur during a troubling rise in cyberattacks targeting large multinational organizations, particularly those with extensive customer and employee data. The contrasting methodologies of the Everest and Gehenna groups—ransomware extortion versus data leak pressure—underscore their similar objective: monetizing stolen information.
As of now, neither Coca-Cola nor CCEP has publicly confirmed the breaches. However, cybersecurity expert John Bambenek, President of Bambenek Consulting, highlighted the increasing vulnerabilities associated with cloud-based platforms. As organizations adopt more Software-as-a-Service (SaaS) solutions, the potential avenues for threat actors expand. He stressed the importance of integrating SaaS logs into Security Information and Event Management (SIEM) systems to detect suspicious activity, such as large-scale data retrievals from single user accounts.
Given the active and well-resourced nature of both hacking groups, it remains crucial for affected organizations to respond appropriately to mitigate further risks. A definitive public statement may clarify the implications of these breaches and provide insight into the true scale of the impact.
