A recent report has revealed that towards the close of 2022, a gang of malicious operators broke into the dedicated systems of US company Pepsi Bottling Ventures. Well known as the most prominent privately-owned bottling company charged with containing Pepsi-Cola beverages in the United States, the firm was unaware that malicious software had been installed on installed on its network with the aim of stealing personally identifiable information (PII).

Duration of a data breach

Investigators have uncovered that, for close to a month, the malicious software deployed on Pepsi Bottling Venture’s company network was secretly exfiltrating PII.

The first indication that the bottling company had about the unauthorised access of its systems was this year on January 10. However, it then took the company a further nine days before it managed to completely eliminate all access to its systems from the attackers.

Reports show that a dedicated data breach notice was sent to impacted individuals as required under US data protection laws. The notification letter issued to the data subjects confirmed that a concerning selection of personal information was stolen during the attack on Pepsi Bottling Ventures.

The data included the full names of data subjects along with their home addresses, federal and state government-issued identity numbers, driving licence numbers, information related to employment and benefits including medical history and health insurance claims, digital signatures, social security numbers, ID cards and passport information, as well as financial account information like passwords, access numbers and personal PINs.

Assessing the impact of a breach

Based on the scarce details revealed to those impacted by the devastating data leak, it is not immediately clear just how many individuals may have been affected by the malicious attack. It is also unknown as to whether any of the enterprise’s customers or business partners are impacted. However, considering the information on the event that has been shared to date, it appears as if the data stolen during the system penetration pertains to Pepsi staff.

Due to the highly sensitive nature of the PII that was exfiltrated over the month-long breach, it goes without saying that individuals whose data was exposed are now at considerable risk. From attempts to commit identity theft to phishing attacks aimed at stealing further data or finances, there are now multiple threats facing data subjects left vulnerable by the incident.

By way of compensation, individuals impacted by the breach on Pepsi Bottling Ventures are now being offered a free of charge identity monitoring service for one year. The company is also recommending that all users of its network change their personal login credentials, and make sure that they have not used the exposed passwords for any other accounts online. If they have made this common mistake, they are advised to also change these passwords promptly for a more secure solution.

In its recent notice, Pepsi Bottling Ventures also stated that it has now informed law enforcement agencies regarding the attack and reset its company passwords. It has also taken additional measures to enhance security of its network.