Towards the end of last year, malicious hackers broke into the systems of Pepsi Bottling Ventures, the largest privately-owned bottler of Pepsi-Cola beverages in the USA, and installed malware.

For almost the month the malware secretly exfiltrated personally identifiable information (PII) from the company’s network.

The first Pepsi Bottling Ventures knew about the unauthorized access to its network was on January 10 2023, but it took a further nine days until the organisation completely shut the attackers out of its systems.

As Bleeping Computer reports, a notification letter sent to affected individuals confirms that a worrying array of information was stolen:

• Full name
• Home address
• Financial account information (including passwords, PINs, and access numbers)
• State and Federal government-issued ID numbers and driving license numbers
• ID cards
• Social Security Numbers (SSNs)
• Passport information
• Digital signatures
• Information related to benefits and employment (health insurance claims and medical history)

Clearly the potential exists for cybercriminals to exploit the information stolen from the company’s network to launch phishing attacks and attempt to commit identity theft.

What isn’t clear from the notification letter is how many people may be affected by the data breach, and whether any business partners or customers are impacted. It certainly appears, from the information shared so far, that the information stolen relates to Pepsi employees.

Affected individuals are being offered free identity monitoring for one year.  Pepsi is also recommending that users change their login credentials, and ensure that they are not using the same password anywhere else on the internet.

The company says that it has informed law enforcement agencies of the attack, reset company passwords, and put in place additional measures to secure its network.