(By Siva Prasad Boddu, Abhishek Samdole & Rudra Pratap)
We observed two data leaks, one is Coco-Cola Gulf and the other one is Coco-Cola Europacific Partners (CCEP).
The Coca-Cola Gulf data leak occurred May 22, 2025. The breach was claimed by the Russian-linked hacking group Everest Ransomware. The group posted on a dark web leak site, saying it had stolen personal data from 959 employees, including details on the Gulf Coca-Cola Beverages CEO. The data was taken primarily from Coca-Cola’s Middle East distributor, specifically the Dubai office at the Dubai Airport Free Zone (DAFZ).
Another incident involved Coca-Cola Europacific Partners (CCEP), which was claimed by the hacking group Gehenna and posted on the dark web. The actor said he was selling the Coca-Cola Europacific Partners Salesforce database, which contained 64 gigabytes of data, including “Salesforce accounts, Salesforce cases, Salesforce contacts and Salesforce products.” According to the threat actor, he was also responsible for the Samsung Germany and Royal Mail data breaches.
The Coca-Cola Company, started in 1892 in America, makes and sells drinks like Coca-Cola, other soft drinks, and some alcoholic beverages. It has over 500 brands in more than 200 countries, making it the biggest drink company in the world and one of the largest in the U.S. It’s also one of the most successful brands ever. In 2024, it earned $47.06 billion, made a profit of $10.63 billion, and had $100.5 billion in assets. It works in over 200 countries (except Russia) and its drinks make up over 1.3 billion of the 50 billion drinks people have daily worldwide. As per records up to 2024, it had 69,700 employees globally.
Coca‑Cola Europacific Partners, established in 2016 and headquartered in Uxbridge, England, is the world’s largest independent bottler of Coca‑Cola products. In 2021, it became even bigger after buying Coca‑Cola Amatil. CCEP operates 42 bottling plants across Europe and the Asia‑Pacific region, handling over 50 well-known brands including Coca‑Cola, Fanta, Sprite, Diet Coke, Capri‑Sun, Monster, and others. It works in many countries, runs 42 factories, and has about 41,000 employees. In 2024, it made €20.44 billion in sales and €1.44 billion in profit. Big owners of the company include Olive Partners and The Coca‑Cola Company.
On May 22, 2025, the hacking group Everest claimed to have breached Coca-Cola employee data. The breach contained information including employees’ personal numbers, full names, dates of birth, nationalities, ID or passport numbers, passport issue and expiry dates, residential addresses, occupations and sponsor numbers. Sponsor numbers are relevant for employees in regions such as Bahrain and the United Arab Emirates, where sponsorship is part of visa processes.
Screenshots one through seven contain information about the Gulf Coca-Cola Beverages CEO, including name, job title, email address, permanent and current addresses, nationality, labor card, passport, United Arab Emirates residency details and payment information such as a bank account number.
There were 1,104 files, including passport scans, visa copies, labor cards and IDs, most linked to employees in Bahrain and the United Arab Emirates.
There were 1,104 files, including passport scans, visa copies, labor cards and IDs, most linked to employees in Bahrain and the United Arab Emirates.
The same information was leaked on the dark web. A screenshot showed that threat actors named “GATTI” and “Tanaka” posted the details on the dark web.
As previously mentioned in the summary, in early May 2025, Coca-Cola Europacific Partners, the world’s largest independent Coca-Cola bottler by net revenue, experienced a data breach in its Salesforce environment. The breach was claimed by a hacking group known as Gehenna, also referred to as GHNA.
The actor said he was also responsible for the Samsung Germany and Royal Mail data breaches. He claimed to have stolen 23 million records between 2016 and 2025.
A total of 64 gigabytes of data was compromised, including 6 GB of Salesforce accounts, 52 GB of Salesforce cases, 5 GB of Salesforce contacts and 300 MB of Salesforce products.
Salesforce is a cloud-based CRM platform used by organizations like CCEP to manage customer relationships, sales, support cases, and business operations. A Salesforce dashboard provides a visual interface for tracking key performance indicators (KPIs), customer interactions, and operational data. It integrates sensitive business and customer information, making it a high-value target for cybercriminals.
Salesforce Accounts Sample:
Salesforce Cases Sample:
Salesforce Contacts:
Salesforce Products:
Account Names:
The actor in the screenshot said the price was “We’re open to offers” and included a Telegram link for contact.
The Everest ransomware gang stole sensitive personal information from 959 Coca-Cola employees in the Middle East, including names, passport numbers, addresses and banking details. The group leaked the data online after Coca-Cola ignored its ransom demand.
The breach puts employees at risk of identity theft, fraud and phishing attacks, while Coca-Cola faces potential fines and damage to its reputation. The theft underscores the danger of ransomware groups such as Everest, which target major companies and expose private data.
In a separate attack, Coca-Cola Europacific Partners was targeted in its Salesforce dashboard. Hackers claimed to have stolen 64 gigabytes of data containing 23 million records.
