Third Party Lets Pepsi Data Out of the Bottle, PII Nicked
Contractors and employees—both current and former—at Pepsi Bottling Ventures LLC (PBV) found themselves in the crosshairs of bad actors recently when a security incident exposed their personal information.
According to a notice from the company, on January 10, 2023, PBV became aware of unauthorized activity on some of its internal IT systems. PBV said that the activity took place on December 23, 2022, when an as-yet-unidentified party tapped their systems and downloaded the information, which included names, home and email addresses, driver’s license numbers, passport and other ID numbers and financial account information. In the latter category, the company said in some instances the third party got PIN codes and other access numbers. Information about benefits and employment—even limited medical history and health and insurance claims—was nicked by the miscreant.
Pepsi reported the incident and suspended all of the systems affected. “At this time, we are not aware of any identity theft or fraud involving an individual’s personal information,” the company said in a statement.
The company is offering identity monitoring to its customers and advised them to take precautions. “Promptly change username(s), password(s) and security question answer(s) for any accounts or account information maintained with Pepsi Bottling Ventures and take any other appropriate steps to protect all other online accounts maintained by you that use the same username, password or security question answer,” PBV said.
Experts noted the lag between PBV uncovering the incident and subsequent action. “Unfortunately, this type of long delay in discovering and acting upon a breach is all too common,” said Willy Leichter, VP of marketing at Cyware.
And he took issue with claims that the incident was contained. “But saying that they have ‘contained’ the breach after not discovering it for six months stretches credulity,” said Leichter. “Indicators of compromise of breaches need to be discovered in hours or days for there to be any chance of limiting the damage.”
Roy Akerman, co-founder and CEO at Rezonate, also expressed concern about the nature of the data stolen. “Unlike a credit card, username, password or other personally identifiable information (PII), an identity cannot be simply replaced and will be forever compromised and at risk,” said Akerman.
“The highest-value intel on the dark web was and will continue to be PII and health care information. Identity data will therefore continue to be the number-one target and the means which attackers leverage to compromise systems and organizations,” he said.