Pepsi Bottling Ventures confirmed this week that vast quantities of personal data were stolen in a cyber attack.
The incident began late last year, after criminal hackers broke into the organisation’s systems and installed malware.
It took almost three weeks for Pepsi Bottling Ventures, the largest bottler of Pepsi-Cola in the US, to spot the intrusion, during which time the attackers had widespread access to its internal systems.
Based on a letter sent to affected individuals, the following information was stolen:
- Full names
- Home addresses
- Financial account information (including passwords, PINs and access numbers)
- State and federal government-issued ID numbers
- Driving license numbers
- ID cards
- Social Security numbers
- Passport information
- Digital signatures
- Information related to benefits and employment (health insurance claims and medical history)
The notification letter didn’t confirm how many people are affected by the data breach or who this information belongs to.
What went wrong?
In a security notice filed with Montana’s Attorney General office, Pepsi explained that the breach started on 23 December 2022.
“Based on our preliminary investigation, an unknown party accessed [our internal IT systems], installed malware, and downloaded certain information contained on the accessed IT systems,” the organisation wrote.
Pepsi said that it “took prompt action to contain the incident and secure [its] systems”. It later specified that it detected the intrusion eighteen days after it began and shut the attackers out of its systems another nine days later, on 19 January.
Although this might sound like a long time, it’s much faster than the average organisation’s response. According to an IBM and Ponemon Institute report, it typically takes 207 days to identify a breach and 75 days to contain it.
That Pepsi was able to rectify the situation comparatively quickly is, to some extent, commendable – particularly given that the breach occurred on the last business day before Christmas.
However, not every data breach is as glaring as this one, with the cyber criminals having continual access to what appears to be complete records of affected individuals.
Another factor that will leave a sour taste in the mouth is Pepsi’s equivocation on whose information this is.
The nature of the compromised data suggests that it belongs to Pepsi Bottling Ventures employees – if only because you wouldn’t expect a manufacturer to have any significant amounts of data on customers.
That said, if recent data breaches have taught us anything, it’s that you can never be too cautious about the data privacy practices of multinationals. With Pepsi not clarifying who was affected in the incident, it will only sow suspicion and uncertainty.
There may well be a legitimate reason for it to gather personal information about clients. Indeed, the organisation handles not only the bottling process but also the sale and distribution of Pepsi-Cola beverages.
This includes the eponymous soft drink, as well as other popular drinks, including Mountain Dew, Mug Root Beer, Aquafina, Tropicana and Starbucks’ Frappuccino.
It might also be the case that the attackers managed to gain access to the systems of Pepsi Bottling Ventures’s parent company, in which case the damage could be far more extensive.
For the time being, Pepsi says its investigation is still ongoing, and has not yet responded to comments from the media asking for more details about the attack.