Coca-Cola Data Breach, Coca-Cola has found itself at the center of a cybersecurity crisis after two separate data breaches in May 2025 compromised sensitive personal and corporate data. The attacks, allegedly carried out by the Everest ransomware group and the Gehenna hacking group, exposed internal employee documents and customer-related records. These incidents highlight not only the increasing sophistication of ransomware gangs but also the potential vulnerabilities in even the most secure seeming organizations.
The Everest Ransomware Breach: Timeline and Data Exposure
On May 22, 2025, Coca-Cola’s name surfaced on a dark web leak site operated by the Everest ransomware group. According to the attackers, they had infiltrated the systems of Coca-Cola’s Middle East distributor and obtained personal data from 959 employees, most of them based in Bahrain and the United Arab Emirates.
In a tactic typical of modern ransomware operations, Everest gave Coca-Cola a five-day window to negotiate a ransom before threatening to publicly release the data. When the company allegedly did not respond, Everest fulfilled its threat, publishing a link to the entire stolen dataset on May 27, 2025.
Cybersecurity researchers at Cybernews analyzed the dataset, uncovering 1,104 files that included:
- Scans of passports, visas, and national IDs
- Residential addresses and sponsor numbers
- Employment details and occupations
- Personal identification numbers, including ID and passport numbers
- Dates of birth and nationality information
- Issue and expiry dates of official documents
Such comprehensive personal data poses a significant threat. Not only does it enable direct financial fraud such as fraudulent credit applications and tax scams, it also fuels highly targeted social engineering attacks. Attackers can exploit this level of detail to craft convincing phishing emails, conduct account takeovers, and compromise the broader security of affected individuals.
Technical and Strategic Aspects of the Everest Breach
While details about the initial intrusion vector remain unconfirmed, ransomware groups like Everest typically rely on spear-phishing campaigns, credential stuffing, or exploiting vulnerabilities in externally facing systems (such as remote desktop services or VPNs). Once inside the network, these groups leverage tools like Mimikatz to extract credentials and escalate privileges, followed by data exfiltration using secure shell (SSH) tunnels or cloud storage services.
The Everest group’s approach mirrors that of other sophisticated ransomware gangs: focusing not only on encrypting data to halt operations but also on data exfiltration for double extortion. This dual strategy increases pressure on victims, as public leaks of sensitive data can lead to regulatory penalties, loss of business partners, and reputational damage.
Coca-Cola Euro pacific Partners Breach: A Salesforce Compromise
Coinciding with the Everest incident, reports emerged that Coca-Cola Euro pacific Partners (CCEP), Coca-Cola’s largest bottler, was also breached in early May 2025. Unlike the Everest breach, this incident appears to have involved unauthorized access to Salesforce, the widely used customer relationship management (CRM) platform.
Attackers posted on a cybercriminal forum that they were selling 64 gigabytes of data exfiltrated from Salesforce, allegedly containing:
- Salesforce account data, including user profiles and activity logs
- Customer service case records with detailed conversations and support requests
- Millions of contact entries, including phone numbers and email addresses
- Product and transaction records spanning nearly a decade
Investigations suggest that rather than directly breaching CCEP’s internal systems, the attackers may have exploited compromised Salesforce user credentials or API keys. Such tactics underscore the vulnerability of third-party integrations and highlight the need for strong access controls, multifactor authentication (MFA), and least-privilege principles in cloud environments.
The Gehenna Hacking Group: A Broader Threat Landscape
The Gehenna hacking group, allegedly responsible for the CCEP data breach, has a track record of targeting large organizations through third-party service providers. The group also claimed responsibility for the Samsung Germany data breach earlier in 2025, where they exposed 270,000 customer support tickets.
Gehenna’s tactics reflect a broader trend in the ransomware ecosystem: targeting supply chains and third-party service providers to bypass direct network defenses. This approach exploits the interconnected nature of modern IT systems, where a single compromised partner can expose multiple downstream organizations.
Everest Ransomware Group and Its Evolution
Everest, active since mid-2021, is allegedly tied to the Russian-based BlackByte cartel. The group has targeted sectors ranging from telecommunications (including an alleged attack on AT&T in October 2022) to healthcare and critical infrastructure.
Everest typically combines:
- Reconnaissance to identify high-value data and backups
- Living-off-the-land techniques using legitimate IT tools to blend in and evade detection
- Data exfiltration before deploying ransomware payloads
- Public leak sites to publish data if victims refuse to pay
According to Cybernews’ dark web tracker Ransomlooker, Everest has listed at least 248 victims since 2023, reflecting their global reach and persistent threat to corporate data security.
Regulatory Implications and Legal Ramifications
The scale and sensitivity of the data exposed in these breaches could trigger investigations by data protection authorities in the Middle East, Europe, and beyond. Under data protection laws like the EU’s General Data Protection Regulation (GDPR) and similar frameworks in Bahrain and the UAE, Coca-Cola and its partners could face:
- Substantial fines (potentially up to 4% of global annual turnover under GDPR)
- Mandatory breach notifications to affected individuals
- Legal action from individuals or class-action lawsuits seeking damages
In addition to regulatory penalties, the reputational damage can be profound. Coca-Cola’s brand is synonymous with trust, and a breach of this magnitude can erode customer and employee confidence, potentially affecting market share and long-term brand loyalty.
Response and Risk Mitigation
At the time of writing, Coca-Cola has not issued a public statement addressing the Everest and Gehenna breaches. It is likely that internal incident response teams and external cybersecurity consultants are working to:
- Identify the initial attack vectors
- Contain ongoing threats and secure systems
- Notify regulators and impacted individuals
- Evaluate long-term data protection strategies to prevent future incidents
For affected employees and customers, immediate steps include:
- Monitoring personal and financial accounts for suspicious activity
- Placing fraud alerts or credit freezes to reduce the risk of unauthorized credit applications
- Remaining vigilant against phishing emails and calls that leverage the leaked data
- Using multifactor authentication and strong, unique passwords to secure other accounts
Lessons and Broader Implications
The Coca-Cola data breaches of May 2025 reveal critical lessons for organizations of all sizes:
- Cloud Security and Third-Party Risks: Even if internal systems are secure, integrations with third-party platforms like Salesforce can be exploited. Zero-trust principles and strict access controls are vital.
- Employee Awareness: Phishing and credential theft remain common initial entry points. Regular security training is essential.
- Data Minimization: Collecting and storing only essential personal data can limit exposure in a breach.
- Proactive Incident Response: Having a tested response plan can contain the damage and help meet regulatory deadlines for reporting.
The back-to-back attacks on Coca-Cola demonstrate that no organization is immune to these evolving threats. As ransomware gangs refine their techniques and expand their operations, constant vigilance and comprehensive security postures are more crucial than ever.
Conclusion on Coca-Cola Data Breach
The twin data breaches at Coca-Cola and its largest bottling partner underscore the urgency of addressing cybersecurity holistically. Protecting not just internal networks but also cloud environments, third-party applications, and employee data has become a non-negotiable priority in the digital economy. These incidents will likely shape the company’s security strategies and provide important lessons for businesses worldwide navigating the complex and rapidly evolving threat landscape.
