Coca-Cola Denies Ultimatum: Everest Ransomware Group Dumps Employee Data Due to Unpaid Ransom

• The Everest ransomware gang leaked internal employee data allegedly from Coca-Cola on May 27 after failed negotiations.
• 1,104 sensitive documents linked to 959 employees — primarily in the Middle East — were exposed.
• Experts warn of serious identity theft and fraud risks arising from leaked passport, visa, and ID details.

On May 22, Everest listed Coca-Cola on its dark web leak site, claiming to have accessed and stolen data belonging to 959 employees. The attackers allegedly gave Coca-Cola five days to negotiate before releasing the data. When no response came, the group published a link on May 27 to the stolen dataset.

Researchers found the breach includes 1,104 files, containing highly sensitive information like passport scans, visa copies, national ID details, and other personal records — most tied to employees in Bahrain and the UAE.

The leaked data reportedly contains the following: 

• Full names
• Dates of birth
• Nationalities
• Residential addresses
• ID/passport numbers, issue/expiry date 
• Occupations 
• Sponsor numbers

Once released on the dark web, data of this nature is often misused for identity theft, phishing, and financial fraud. Regulatory scrutiny under local data protection laws could follow, bringing fines, legal exposure, and long-term reputational damage to Coca-Cola.

This marks the second incident involving Coca-Cola within a week. Earlier, cybercriminals on a hacking forum claimed to be selling 64GB of data allegedly stolen from Coca-Cola Europacific Partners, likely via a compromised Salesforce account.

The Everest group, active since 2020, is allegedly connected to the BlackByte cartel. Actively targeting the healthcare sector since December 2021, they were primarily focused on data exfiltration before shifting to ransomware activities. Their ransomware strain has been linked to EverBe 2.0 and the Russia-based BlackByte group. 

Post-Colonial Pipeline, their DLS became unreachable, and they increasingly function as an Initial Access Broker (IAB), seeking various remote access methods like RDP with VPN, shell, VNC, and hVNC.