The Everest ransomware group has publicly released stolen employee data linked to Coca-Cola’s Middle East operations, after the company failed to respond to ransom demands.
The leak appeared on May 27 after Everest listed Coca-Cola as a victim on its dark web portal five days earlier. The attackers claimed they had stolen personal records of 959 employees, primarily tied to Coca-Cola’s distributors in Bahrain and the UAE.
When the ransom deadline expired without contact from the company, the gang published the full dataset online.
“The exposure of personal documents, such as IDs and Passports, poses a serious identity theft and fraud risk to affected employees,”
said the Cybernews research team.
Hackers Leak Over 1,100 Employee Documents, Including IDs and Visa Copies
Cybernews researchers analyzed the leaked data and confirmed the presence of 1,104 files, including:
- Passport scans
- Visa copies
- Government-issued IDs
The exposed files revealed critical personal data such as:
- Full names
- Nationalities
- Dates of birth
- Passport and ID numbers
- Issue and expiry dates
- Sponsor numbers
- Residential addresses
- Occupations
Such sensitive information increases the risk of identity theft, credit card fraud, loan scams, and targeted phishing campaigns.
“They could suffer from credit card and loan fraud, tax fraud, more personalised social engineering attacks, and account takeover,”
the Cybernews team added.
The breach could also expose Coca-Cola to regulatory scrutiny under regional data protection laws, with possible legal and financial consequences.
Second Alleged Breach Involving Coca-Cola in One Week
This incident follows another reported data breach involving Coca-Cola Europacific Partners, the company’s largest bottler. In that case, a separate cybercriminal group claimed to be selling 64GB of data, allegedly accessed via a compromised Salesforce account.
The attackers behind that breach claim responsibility for an earlier cyberattack on Samsung Germany, which leaked over 270,000 customer support records.
It is not believed that the Coca-Cola bottler was directly breached. Instead, attackers may have gained access through third-party credentials linked to Salesforce.
Everest Ransomware Group Continues Global Attacks
The Everest ransomware gang, suspected of ties to the BlackByte cartel, has operated since mid-2021 and continues to expand its list of victims.
The group has previously targeted:
- AT&T (2022) – Claimed access to the telecom giant’s corporate network
- Mediclinic (2025) – Leaked 4GB of sensitive hospital data just days before the Coca-Cola dump
According to the Ransomlooker tracker, Everest has listed 248 corporate victims since 2023, using double extortion tactics to force ransom payments.
Coca-Cola has not issued a public statement or confirmed any details of the breach at the time of writing.
