Pepsi Bottling Ventures, America’s largest manufacturer and distributor of Pepsi-Cola beverages, said its network had been breached by threat actors who took off with a handful of personal and financial information.
According to the breach notification letter sent to consumers, the breach, successfully executed by deploying info-stealing malware, happened around December 23, 2022. Pepsi hadn’t discovered the criminal activity until January 10.
In the notice, the corporation said that an unknown party accessed its internal IT systems, installed malware, and downloaded certain information.
“We took prompt action to contain the incident and secure our systems. While we are continuing to monitor our systems for unauthorized activity, the last known date of unauthorized IT system access was January 19, 2023. We reported the incident to law enforcement and are cooperating with their investigation,” the company said.
The list of information stolen is long and scary. It varies by individual, but it may have included first and last names, home and email addresses, financial account data, including a limited number of passwords, PIN codes, or other access numbers.
Additionally, the crooks stole driver's license numbers, ID cards, social security numbers and passport information, digital signatures, limited medical history, and health insurance information.
Pepsi said it was not aware of any identity theft or other fraud involving stolen data – the firm allegedly took “prompt action” to secure its systems. It also said all company passwords have to be changed.
Besides, Pepsi assured it would provide the victims of the theft with a year’s worth of free identity monitoring services from Kroll, a risk mitigation and response provider. This covers credit monitoring, identity theft restoration, and $1 million identity fraud loss reimbursement.
Finally, the company has urged all users to change their usernames, passwords, answers to security questions, and any other confidential information as a precautionary measure following the cyberattack.
However, the threat obviously remains as the stolen data can still be used in cyberattacks at any time. If customers suffer financial losses as a result of the breach, Pepsi might also face legal action.
The breach highlights the need for companies to be proactive in protecting their sensitive information and safeguarding against cyber threats. The stolen data may be sold on dark-web forums and used for cyber crimes such as identity theft, doxxing, phishing, and other types of social engineering.
Similar network intrusions and thefts of data have been occurring more frequently. Just last week, over three million patient records were breached in a California health network ransomware attack.
More from Cybernews:
Subscribe to our newsletter