Even though Coca-Cola has long been a target for cybercriminals, the beverage giant now faces an unprecedented dual assault from sophisticated ransomware groups targeting both the company and its bottling partners.
The Everest ransomware gang claimed responsibility for breaching Coca-Cola’s systems, particularly targeting its Dubai Airport Free Zone office. At the same time, the Gehenna group launched an attack on Coca-Cola Europacific Partners (CCEP).
The May 2025 breaches, both confirmed on May 22, have exposed sensitive data from multiple corporate systems. Screenshots posted on dark web leak sites suggest the Everest gang accessed internal documents and personal information of 959 employees, including visa scans, passport details, salary data, and HR records.
Simultaneously, Gehenna claims to possess a massive database stolen from CCEP’s Salesforce environment.
The ransomware group Gehenna alleged theft of extensive data from Coca-Cola Europacific Partners’ Salesforce database during their cyberattack campaign.
Initial investigations reveal sophisticated attack methods, including credential harvesting and Active Directory targeting. A VP CISO Advisory at ColorTokens noted that Coca-Cola’s cybersecurity investments may have been insufficient to prevent such coordinated attacks. The attackers demanded 1.65 Bitcoin as ransom for the stolen data. With data breach costs averaging $4.35 million, the impact could be devastating for the company’s bottom line.
The incidents follow a concerning pattern of escalating threats against the company, including a 2022 attack by the Russia-supporting Stormous ransomware group, which claimed to have exfiltrated 161GB of critical data.
The company’s response follows its established protocol of coordinating with law enforcement while conducting internal investigations. This latest breach mirrors a previous incident where a former employee stole data affecting over 8,000 workers. Historically, Coca-Cola maintains minimal public communication during active investigations, as demonstrated by Vice President of Communications Scott Leith’s measured responses to previous incidents.
The simultaneous attacks represent an evolution in tactics against major corporations, with threat actors now coordinating assaults on both parent companies and their partners.
The targeted data spans critical operational information, potentially exposing trade secrets, and includes sensitive employee data from international operations.
This incident highlights the increasing sophistication of ransomware groups, who utilize dark web leak sites and public announcements to pressure companies into negotiations, marking a significant escalation in cyber threats against global beverage companies.
