Headline
Everest Ransomware Leaks Coca-Cola Employee Data Online
Everest ransomware leaks Coca-Cola employee data: 1,104 files exposed, including HR, admin roles, IDs, personal details, and internal records.
On May 22, Hackread.com reported that Everest claimed responsibility for stealing data on 959 Coca-Cola employees, specifically across the Middle East, including the UAE, Oman, and Bahrain. Separately, another hacker group claimed to have stolen 23 million records from Coca-Cola Europacific Partners (CCEP).
Hackread.com can now confirm that the Everest ransomware group has leaked sensitive employee data stolen from the Coca-Cola Company. The data has been leaked on the Everest ransomware group’s dark web leak site as well as on the notorious Russian-language cybercrime forum XSS.
Screenshot credit: Hackread.com
The group has posted a 502 MB data dump, exposing Coca-Cola’s Middle East-specific internal and employee records. The leaked folder contains 1,104 files with information that includes:
- Full names of employees
- Business and home addresses
- Family and marriage certificates
- Copies of visas, passports, residency permits
- Phone numbers, banking details, salary records
- Employee personal and business email addresses
****What’s Inside the Leaked Files****
Among the exposed documents is an Excel file titled SuperAdmin_User_Account_Cocacola, detailing Coca-Cola’s internal administrative account structure and assigned roles. While it does not include passwords or direct login credentials, it outlines which accounts hold critical permissions, including system administrators, HR roles, and integration accounts. This makes it a useful map for threat actors, such as the recently FBI-warned Silent Ransom Group and others, aiming to exploit the company’s system hierarchy.
Another file, Emp Hierarchy Upload, lists:
- Organizational hierarchy levels
- Job titles and departmental details
- Country-based manager structures
- Employee usernames and full names
- Reporting lines, showing who reports to whom
A third file, HRBP Upload, contains data on Coca-Cola’s HR Business Partner (HRBP) assignments, including:
- Departmental functions
- Employee IDs and full names
- Assigned HRBP names and linked user IDs
- Relationship start and end dates (with many set as open-ended)
Screenshot from the leaked data (Image credit: Hackread.com)
****Sensitivity of The Leaked Data****
While not all files contain direct access credentials, the combination of sensitive personal data, administrative structures, and internal HR mapping increases the cybersecurity risk profile for Coca-Cola. Such details can aid cybercriminals in several ways including:
- Spear-phishing attacks, targeting specific individuals with crafted emails or messages
- Social engineering schemes, using knowledge of internal relationships to impersonate executives, managers, or HR personnel
- Phone-based scams, where attackers call employees pretending to be HR or IT staff, asking them to share system credentials
- Credential harvesting, by directing employees to phishing websites disguised as official HR or IT portals
- Malware delivery, where attackers pose as HR managers or support teams and trick employees into installing malware under the guise of a “remote access tool” or “required update”
- Mapping internal systems and roles, helping attackers plan more precise future breaches, escalate privileges, or exploit admin-level access.
Additionally, the exposure of passports, visas, and banking details presents direct personal risks to affected employees, opening the door to identity theft, financial fraud, or cross-border privacy concerns.
It remains unclear whether there were any negotiations or communications between the Everest ransomware group and Coca-Cola regarding a ransom payment. So far, no details have emerged publicly about whether Coca-Cola engaged in talks, refused to pay, or is still assessing the situation internally. As with many ransomware cases, companies often withhold such information while investigations are ongoing or while working with law enforcement.
****Persistent Threat****
The Everest ransomware group has a history of leaking sensitive corporate data when ransom demands go unmet. While Coca-Cola has not yet issued a public statement regarding this leak, the scale and depth of the exposed data highlight the growing danger posed by ransomware actors, not just to company systems, but to the personal lives and security of employees.
Hackread.com will continue monitoring this developing story.