Data Breach at Coca-Cola: Everest Ransomware Group Exposes Employee Records
On May 22, Hackread.com reported a concerning incident involving the Everest ransomware group, which has claimed responsibility for breaching the data of 959 Coca-Cola employees based in the Middle East, specifically in the UAE, Oman, and Bahrain. In a separate yet alarming revelation, another hacking collective asserted it had pilfered 23 million records from Coca-Cola Europacific Partners (CCEP).
Recent updates confirm that the Everest group has leaked sensitive employee data from the Coca-Cola Company. This data has been made available on the Everest group’s dark web site and on the notorious Russian-language cybercrime forum XSS, drawing scrutiny to the implications for affected employees and the corporation.
The breach has resulted in a substantial 502 MB data dump, consisting of 1,104 files that unveil sensitive internal and employee information specific to Coca-Cola’s operations in the Middle East. Among the leaked content are full names, home and business addresses, family and marriage certificates, as well as critical identity documents like passports and residency permits. Financial details, including banking information and salary records, alongside employee email addresses—both personal and professional—are also included.
Within this compromised data, there exists an Excel sheet labeled "SuperAdmin_User_Account_Cocacola," which details Coca-Cola’s internal administrative structure and user roles. While it does not disclose passwords or direct login credentials, the information outlines accounts with significant permissions, including those held by system administrators and HR personnel. Such a breakdown serves as a roadmap for potential threat actors aiming to exploit vulnerabilities within the company’s internal hierarchy.
In addition to this file, another named "Emp Hierarchy Upload" provides insights into organizational structures, including job titles and reporting lines. A third file titled "HRBP Upload" details Coca-Cola’s HR Business Partner assignments, complete with departmental functions and employee IDs. The aggregation of this data presents a troubling risk profile, particularly in how it could facilitate various cyberattack strategies.
The exposure of personal and sensitive corporate information increases the likelihood of spear-phishing attacks, where specific individuals are targeted for fraud via customized communications. Furthermore, the internal data could be leveraged in social engineering schemes, allowing criminals to impersonate corporate executives. Attackers may also initiate phone-based scams under the pretense of being HR or IT staff, as well as employing credential harvesting techniques through deceptive websites.
In light of the breach, it’s crucial to consider the security landscape shaped by the tactics employed by the Everest ransomware group. The MITRE ATT&CK framework identifies several relevant adversary tactics that may have been utilized, including initial access through phishing or exploitation of unpatched vulnerabilities, as well as persistence tactics to maintain access to Coca-Cola’s systems. The threat actors could also have aimed for privilege escalation to gain further control over sensitive resources.
While it remains undisclosed whether any negotiations took place between Coca-Cola and the Everest group concerning ransom payments, the industry commonly observes a veil of secrecy surrounding these discussions. Companies often refrain from revealing specifics to protect internal investigations and maintain ongoing law enforcement collaborations.
The Everest ransomware group’s history of leaking sensitive corporate data after unfulfilled ransom demands underscores the magnitude of the threat. Although Coca-Cola has yet to publicly address the breach, the depth of the exposed data accentuates the growing cybersecurity challenges faced by corporations, making it imperative for business leaders to strengthen defenses and remain vigilant in today’s evolving threat landscape.
Hackread.com will continue to keep an eye on this developing situation, shedding light on the ramifications of this significant breach.
