Coca-Cola, Bottling Partner Named in Separate Ransomware and Data Breach Claims

Coca-Cola and its bottling partner, Coca-Cola Europacific Partners (CCEP), are facing separate cyberattack claims from two distinct threat groups. The Everest ransomware gang says it has breached Coca-Cola’s systems, while another group named Gehenna (aka GHNA) is offering what it claims is a massive database stolen from CCEP’s Salesforce environment.

****Everest Ransomware Targets Coca-Cola****

The Everest ransomware group has listed Coca-Cola as a victim on its dark web leak site, sharing screenshots that suggest access to internal documents and personal information of 959 Employees. These include visa and passport scans, salary data, and other HR-related records.

According to samples reviewed by Hackread, the breach appears to affect Coca-Cola’s operations in the Middle East, with several files indicating that the Dubai office at the Dubai Airport Free Zone (DAFZ) may have been the specific target.

Everest has released samples that contain employee identification details and documents that typically circulate within HR departments. The nature of the leaked files indicates that personally identifiable information (PII) is involved.

Screenshot from the dark web leak site of the Everest ransomware gang (Image credit: Hackread.com)

Mr. Agnidipta Sarkar, Vice President CISO Advisory at ColorTokens, commented on the tactics: “Initial research points to tactics like harvesting credentials and targeting Active Directory, though those claims aren’t always reliable. If this attack is genuine, it suggests Coca-Cola’s cybersecurity investments may not have been enough to stop it.”

****Gehenna Claims Major Breach at Coca-Cola Europacific Partners****

In a separate incident, the Gehenna hacking group claims to have breached CCEP’s Salesforce dashboard earlier this month. The group says it exfiltrated more than 23 million records, dating back to 2016, containing sensitive customer relationship management (CRM) data.

The data allegedly includes 7.5 million Salesforce account records (6GB), 9.5 million customer service cases (52GB), 6 million contact entries (5GB), and over 400,000 product records (300MB).

Gehenna shared samples on a public data breach forum, which included case logs referencing Coca-Cola Enterprises Norway, complete with customer support history and contact details.

The group also posted a message aimed at CCEP employees, stating that they are “open to offers” and warning that they “have more where that came from.” Gehenna also claimed responsibility for previous incidents affecting Samsung Germany and Royal Mail, adding weight to the seriousness of their statement.

The group has also provided contact information via Telegram and appears to be actively soliciting a response from Coca-Cola Europacific Partners.

The screenshot shows Gehenna’s post about CCEP’s alleged breach (Image credit: Hackread.com)

Both incidents come amid an uptick in cyberattacks targeting large multinational corporations, particularly those holding customer and employee data at scale. The tactics used by Everest and Gehenna reflect different approaches, ransomware extortion and data leak-based pressure, but the goal is similar to making money out of stolen information.

Coca-Cola and CCEP have not publicly confirmed the breach at the time of writing.

John Bambenek, President at Bambenek Consulting, noted the broader risk with cloud platforms: “As companies adopt more SaaS solutions, it opens new doors for threat actors. SaaS platforms often lack the logging and security visibility that traditional infrastructure provides.”

He advised that “Organizations need to prioritize integrating SaaS logs into their SIEM and building detections for suspicious behaviour like large-scale data lookups from a single user account to avoid being caught off guard.”

Nevertheless, both groups appear to be active and well-resourced. Whether through law enforcement action or internal response, a public statement may help clarify the real impact behind the claims.