Pepsi Bottling Ventures LLC suffered a data breach caused by a network intrusion that resulted in the installation of information-stealing malware and the extraction of data from its IT systems.
Pepsi Bottling Ventures is the largest bottler of Pepsi-Cola beverages in the United States, responsible for manufacturing, selling, and distributing popular consumer brands. It operates 18 bottling facilities across North and South Carolina, Virginia, Maryland, and Delaware.
27-day exposure window
In a sample security incident notice filed with Montana’s Attorney General office, the company explains that the breach occurred on December 23, 2022. But it wasn’t until January 10th 2023, or 18 days later that it was discovered, with remediation taking even longer.
“Based on our preliminary investigation, an unknown party accessed [our internal IT systems] on or around December 23, 2022, installed malware, and downloaded certain information contained on the accessed IT systems,” reads the notice.
“We took prompt action to contain the incident and secure our systems. While we are continuing to monitor our systems for unauthorized activity, the last known date of unauthorized IT system access was January 19, 2023.”
Based on the results of Pepsi’s internal investigation so far, the following information has been impacted:
- Full name
- Home address
- Financial account information (including passwords, PINs, and access numbers)
- State and Federal government-issued ID numbers and driver’s license numbers
- ID cards
- Social Security Numbers (SSNs)
- Passport information
- Digital signatures
- Information related to benefits and employment (health insurance claims and medical history)
In response to this incident, the company has implemented additional network security measures, reset all company passwords, and informed the law enforcement authorities.
At this time, the review of potentially affected records and systems is still underway, while all affected systems have been suspended from the firm’s regular operations.
The recipients of the breach notices are being offered a one-year free-of-charge identity monitoring service through Kroll to help them prevent identity theft that may occur as a result of the stolen data.
It is still not clear how many individuals were affected by the data breach and whether the affected parties include customers or employees.
BleepingComputer has contacted Pepsi Bottling Ventures to request more details about the attack and the scope of the impact, and we will update this post as soon as we hear back.