Pepsi Bottling Ventures, the largest bottler of Pepsi-Cola beverages in the United States, is responsible for manufacturing, selling and distributing a variety of popular consumer brands. The company operates 18 bottling facilities across North and South Carolina, Virginia, Maryland and Delaware.

On the 23rd of December, a network intrusion occurred, resulting in a compromise of IT systems, and a data breach. The intrusion was only discovered nearly three weeks later, on January 10th.

Employees were heavily affected by the breach. Social security numbers, financial account details, state and federal government-issued ID numbers, driver’s license numbers, digital signatures, passport details, benefits information, health insurance claims, and other employment-related information were all compromised.

Breach disclosure

The company publicly shared information about the breach on February 10th, in an email sent to consumers (and via a notice filed with the attorney general of Montana).

Whether or not the breach affected suppliers or customers, whose personal information could have been stolen, remains unclear.

Key insights

The most concerning aspect of this situation pertains to the time gap between when the attack took place and when Pepsi Bottling Ventures managed to identify it. The cyber criminals had nearly three weeks of access to data without anyone’s knowledge of its compromise. Cyber criminals can do a lot of damage in just a few weeks.

“Any person or organizations impacted by this incident must be on alert of attack vectors such as identity and financial fraud, among others, and should take up the offer of free credit monitoring in an effort to better protect themselves from nefarious activity,” warned High Ground CEO, Mark Lamb.

Individuals affected by the breach will be provided with the now traditional one-year-free identity monitoring service by Kroll. The challenge here is that attackers often sit on information for more than a year – knowing that the identity theft protection will expire.

Incident response

In response to the breach, Pepsi Bottling Ventures has implemented additional network security measures, reset all company passwords and informed law enforcement agencies. Any other steps taken to mitigate this incident and to prevent future incidents have not been publicly disclosed.

“We took prompt action to contain the incident and secure our systems,” wrote CEO Derek Hill, in a breach notification letter.

Further thoughts

The malware type deployed within the attack has not yet been revealed. It remains unclear as to whether or not the attack was conducted by a ransomware group.

The Pepsi Bottling Ventures breach notification letter was sent out just weeks after the restaurant chain known as Five Guys disclosed a similar breach that affected employee data.

In January, email marketing firm Mailchimp disclosed a data breach that allowed intruders to access internal customer support and account administration tools, showing the data belonging to 133 of its customers.

Also last month, PayPal distributed data breach warnings to roughly 35,000 platform users, whose accounts were compromised during a credential stuffing attack in December of 2022.

For more data breach insights, please see CyberTalk.org’s past coverage. Lastly, to receive cutting-edge cyber security news, best practices and resources in your inbox each week, please sign up for the CyberTalk.org newsletter.