New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


Pepsi Bottling Ventures Suffers Data Breach

Pepsi Bottling Ventures LLC experienced a data breach caused by information-stealing malware. The organization is the largest bottler of Pepsi-Cola beverages in the US, in charge of producing, marketing, and distributing well-known consumer brands. It runs 18 bottling facilities in Virginia, Delaware, North and South Carolina, and Maryland. The company explained that the breach happened on December 23, 2022, in a sample security incident notice submitted to Montana’s Attorney General’s office. However, it was discovered on January 10, 2023, or 18 days later, and remediation took even longer. “Based on our preliminary investigation, an unknown party accessed [our internal IT systems] on or around December 23, 2022, installed malware, and downloaded certain information contained on the accessed IT systems. We took prompt action to contain the incident and secure our systems. While we are continuing to monitor our systems for unauthorized activity, the last known date of unauthorized IT system access was January 19, 2023,” reads the notice. According to the initial report of Pepsi’s internal investigation, the following data has been affected: names, ID cards, State and Federal government-issued ID numbers, driver’s licenses, home addresses, financial accounts (including passwords, PINs, and access numbers), Social Security Numbers (SSNs), passports, digital signatures, and information related to employee benefits.

Analyst Notes

The company has added more network security measures in reaction to this event, including changing all company passwords and notifying law enforcement. The organization’s routine activities have been paused for all affected systems while an assessment of potentially impacted documents and procedures is ongoing. The recipients of the breach notices are being offered a one-year free-of-charge identity monitoring service through Kroll to help them prevent identity theft that may occur as a result of the stolen data. It is unclear how many people were impacted by the data breach and whether those people were clients or employees.