Coca-Cola Europacific Partners and Coca-Cola: Coca-Cola, Bottling Partner Named in Separate Ransomware and Data Breach Claims

Coca-Cola and Bottling Partner Hit by Dual Cyberattacks from Everest and Gehenna Groups

Coca-Cola and its bottling partner, Coca-Cola Europacific Partners (CCEP), are grappling with separate cyberattack claims from two distinct threat groups. The Everest ransomware gang alleges it breached Coca-Cola’s systems, while the Gehenna (GHNA) hacking group claims to have stolen a massive database from CCEP’s Salesforce environment.

Everest Ransomware Targets Coca-Cola

The Everest group listed Coca-Cola as a victim on its dark web leak site, releasing screenshots of internal documents and personally identifiable information (PII) belonging to 959 employees. The leaked data includes visa and passport scans, salary details, and HR records, with evidence suggesting the breach targeted Coca-Cola’s Dubai office in the Dubai Airport Free Zone (DAFZ). Cybersecurity experts speculate the attack may have involved credential harvesting and Active Directory exploitation, though Coca-Cola has not confirmed the incident.

Gehenna Claims Massive CCEP Salesforce Breach

In a separate attack, the Gehenna hacking group asserts it breached CCEP’s Salesforce dashboard earlier this month, exfiltrating over 23 million records dating back to 2016. The stolen data includes:

• 7.5 million Salesforce account records (6GB)
• 9.5 million customer service cases (52GB)
• 6 million contact entries (5GB)
• 400,000+ product records (300MB)

Gehenna shared samples on a public breach forum, revealing customer support logs from Coca-Cola Enterprises Norway, complete with contact details. The group, which has previously targeted Samsung Germany and Royal Mail, is actively soliciting offers from CCEP via Telegram.

Broader Implications

Both incidents highlight the growing threat to multinational corporations, particularly those handling large-scale customer and employee data. While Everest employs ransomware extortion, Gehenna leverages data leaks for financial gain. Security experts warn that SaaS platforms like Salesforce often lack robust logging, increasing vulnerability to such attacks.

Neither Coca-Cola nor CCEP has publicly confirmed the breaches at this time. The full impact of these claims remains unclear as investigations continue.

Source: https://hackread.com/coca-cola-bottling-partner-ransomware-data-breach/

Coca-Cola Europacific Partners cybersecurity rating report: https://www.rankiteo.com/company/coca-cola-europacific-partners

"id": "COC1770775171",
"linkid": "coca-cola-europacific-partners",
"type": "Breach",
"date": "5/2025",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'industry': 'Beverage',
                        'location': 'Dubai, UAE (Dubai Airport Free Zone)',
                        'name': 'Coca-Cola',
                        'type': 'Corporation'},
                       {'industry': 'Beverage',
                        'location': 'Global (Norway mentioned)',
                        'name': 'Coca-Cola Europacific Partners (CCEP)',
                        'type': 'Bottling Partner'}],
 'attack_vector': ['credential harvesting',
                   'Active Directory exploitation',
                   'SaaS platform exploitation'],
 'data_breach': {'data_exfiltration': 'yes',
                 'file_types_exposed': ['visa and passport scans',
                                        'salary details',
                                        'HR records',
                                        'customer service logs'],
                 'number_of_records_exposed': ['959 (employee records)',
                                               '23 million+ (Salesforce '
                                               'records)'],
                 'personally_identifiable_information': 'yes',
                 'sensitivity_of_data': 'high',
                 'type_of_data_compromised': ['PII',
                                              'employee records',
                                              'customer support logs',
                                              'Salesforce data']},
 'description': 'Coca-Cola and its bottling partner, Coca-Cola Europacific '
                'Partners (CCEP), are grappling with separate cyberattack '
                'claims from two distinct threat groups. The Everest '
                'ransomware gang alleges it breached Coca-Cola’s systems, '
                'while the Gehenna (GHNA) hacking group claims to have stolen '
                'a massive database from CCEP’s Salesforce environment.',
 'impact': {'data_compromised': ['personally identifiable information (PII)',
                                 'employee records',
                                 'customer support logs',
                                 'Salesforce account records',
                                 'customer service cases',
                                 'contact entries',
                                 'product records'],
            'identity_theft_risk': 'high',
            'systems_affected': ['HR systems', 'Salesforce dashboard']},
 'investigation_status': 'ongoing',
 'motivation': ['financial gain', 'extortion'],
 'post_incident_analysis': {'root_causes': ['credential harvesting',
                                            'SaaS platform vulnerabilities']},
 'ransomware': {'data_exfiltration': 'yes', 'ransomware_strain': 'Everest'},
 'references': [{'source': 'Dark web leak site (Everest)'},
                {'source': 'Public breach forum (Gehenna)'}],
 'threat_actor': ['Everest ransomware gang', 'Gehenna (GHNA) hacking group'],
 'title': 'Coca-Cola and Bottling Partner Hit by Dual Cyberattacks from '
          'Everest and Gehenna Groups',
 'type': ['ransomware', 'data breach']}