Pepsi Bottling Ventures, the largest privately-held bottler of Pepsi-Cola products in the United States, says personal information was stolen from its systems following a malware attack.
Founded in 1943, the company operates 18 bottling and distribution facilities in North and South Carolina, Maryland, Virginia, and Delaware, and employs more than 2,300 people.
On February 10, the company started sending out notification letters to inform an unknown number of individuals that their personal information might have been compromised during a month-long data breach.
The incident, Pepsi Bottling Ventures says, was discovered on January 10, but the investigation that was launched into the matter revealed that attackers gained access to the company’s network on December 23. The unauthorized access was blocked on January 19.
While dwelling in Pepsi Bottling Ventures’ network, the attackers deployed malware and downloaded information stored on the systems they had access to, the company notes in the notification letter, a copy of which was filed with the Montana Attorney General.
Stolen personal information includes names, addresses, email addresses, financial information, Social Security numbers, driver’s license numbers, ID card and password information, benefits information, health insurance information, medical history, health and health insurance claims, and digital signatures.
The company says it has taken steps to contain the incident and improve its security, including by prompting a company-wide password reset on all employee accounts.
Pepsi Bottling Ventures did not reveal the type of malware used in the attack and it’s unclear if the attack was conducted by a ransomware group.
SecurityWeek has emailed the company for additional clarifications on the cyberattack and will update this article as soon as a reply arrives.
Related: 20 Million Users Impacted by Data Breach at Instant Checkmate, TruthFinder
Related: 820k Impacted by Data Breach at Zacks Investment Research
Related: 25k Nissan Customers Affected by Data Breach at Third-Party Software Developer