Third Party Lets Pepsi Data Out of the Bottle, PII Nicked

Contractors and employees—both current and former—at Pepsi Bottling Ventures LLC (PBV) found themselves in the crosshairs of bad actors recently when a security incident exposed their personal information.

According to a notice from the company, on January 10, 2023, PBV became aware of unauthorized activity on some of its internal IT systems. PBV said that the activity took place on December 23, 2022, when an as-yet-unidentified party tapped their systems and downloaded the information, which included names, home and email addresses, driver’s license numbers, passport and other ID numbers and financial account information. In the latter category, the company said in some instances the third party got PIN codes and other access numbers. Information about benefits and employment—even limited medical history and health and insurance claims—was nicked by the miscreant.

Pepsi reported the incident and suspended all of the systems affected. “At this time, we are not aware of any identity theft or fraud involving an individual’s personal information,” the company said in a statement.

The company is offering identity monitoring to its customers and advised them to take precautions. “Promptly change username(s), password(s) and security question answer(s) for any accounts or account information maintained with Pepsi Bottling Ventures and take any other appropriate steps to protect all other online accounts maintained by you that use the same username, password or security question answer,” PBV said.

Experts noted the lag between PBV uncovering the incident and subsequent action. “Unfortunately, this type of long delay in discovering and acting upon a breach is all too common,” said Willy Leichter, VP of marketing at Cyware.

And he took issue with claims that the incident was contained. “But saying that they have ‘contained’ the breach after not discovering it for six months stretches credulity,” said Leichter. “Indicators of compromise of breaches need to be discovered in hours or days for there to be any chance of limiting the damage.”

Roy Akerman, co-founder and CEO at Rezonate, also expressed concern about the nature of the data stolen. “Unlike a credit card, username, password or other personally identifiable information (PII), an identity cannot be simply replaced and will be forever compromised and at risk,” said Akerman.

“The highest-value intel on the dark web was and will continue to be PII and health care information. Identity data will therefore continue to be the number-one target and the means which attackers leverage to compromise systems and organizations,” he said.

Avatar photo

Teri Robinson

From the time she was 10 years old and her father gave her an electric typewriter for Christmas, Teri Robinson knew she wanted to be a writer. What she didn’t know is how the path from graduate school at LSU, where she earned a Masters degree in Journalism, would lead her on a decades-long journey from her native Louisiana to Washington, D.C. and eventually to New York City where she established a thriving practice as a writer, editor, content specialist and consultant, covering cybersecurity, business and technology, finance, regulatory, policy and customer service, among other topics; contributed to a book on the first year of motherhood; penned award-winning screenplays; and filmed a series of short movies. Most recently, as the executive editor of SC Media, Teri helped transform a 30-year-old, well-respected brand into a digital powerhouse that delivers thought leadership, high-impact journalism and the most relevant, actionable information to an audience of cybersecurity professionals, policymakers and practitioners.

teri-robinson has 196 posts and counting.See all posts by teri-robinson