Dole, Pepsi bottler issue more info on recent cyberattacks

Multinational food processing giant Dole and the main U.S. bottler for Pepsi both revealed more information about separate cybersecurity incidents that affected both companies earlier this year.

On Sunday, Dole submitted breach notification documents to regulators in California about a February ransomware attack. The company confirmed that employee data was accessed during the attack. While the California documents do not say how many people were affected, documents filed with regulators in Maine last week said the information of about 3,885 people was involved.

The company – which operates in 75 countries and reported revenues over $6.5 billion in 2021 – said that it has “no reason to believe” that employee data “was or will be subject to any fraudulent misuse.” But it is notifying all U.S. Fresh Fruit employees of the incident and providing complimentary 1-year credit monitoring.

“The information varies by individual, but may include information collected in the course of your employment with us, such as your name, address, telephone number, driver’s license, Social Security number, passport number, date of birth, and/or other employment related information,” Dole said.

They are still investigating the incident with a cybersecurity firm but law enforcement agencies involved have “not requested any delay in providing this notification.”

The ransomware attack in February forced several of the company’s production plants in North America to close temporarily. CNN reported that the incident had impacted shipments to grocery stores in New Mexico and Texas.

In its Q1 earnings report in May, the company said the attack affected their fresh vegetables business as well as their operations in Chile.

“Direct costs related to the incident were $10.5 million of which $4.8 million related to continuing operations,” the company said.

Separate filings with the U.S. Securities and Exchange Commission said the ransomware attack impacted “approximately half of Legacy Dole’s servers and one-quarter of its end-user computers.”

“The attack also resulted in unauthorized access to certain Dole information, including information about certain employees, although Dole has no reason to believe any employee information was publicly released,” they said.

Pepsi Bottling Venture confirms attack

Pepsi Bottling Ventures also addressed a cybersecurity incident that came to light in February. The company said it has 19 locations in North Carolina, South Carolina, Maryland, and Delaware and is the largest bottler of Pepsi products in the U.S.

BleepingComputer was first to report in February that the company filed documents with regulators in Maine about a breach that occurred in December. But the company did not respond to requests for comment from multiple outlets including Recorded Future News.

On Monday, the company said current and former employees and contractors were affected by the incident, noting that the incident did not involve any information from PepsiCo.

“On January 10, 2023, Pepsi Bottling Ventures learned that unauthorized activity was reported on certain internal IT systems,” the company said.

“Based on its investigation, an unknown party accessed those systems on or around December 23, 2022, and downloaded certain information contained in the accessed IT systems. As of January 19, 2023, PBV has detected no unauthorized activity.”

The information accessed inc;udes names, addresses, emails, financial account information – including passwords, PINs and other access numbers – driver’s licenses, ID cards Social Security numbers, passport information, digital signatures, documents on employee benefits and employment, medical history, health insurance claims and policy numbers.

Victims will get one year of free identity protection services but the company urged those affected to change passwords and usernames for all accounts connected to Pepsi Bottling Ventures.

Despite filing documents about the breach in February, the company filed a second, identical set of documents last week with the Maine Attorney General’s office.

The company did not respond to requests for comment about why the documents were filed a second time – but the June filing increased the number of victims from 17,000 to 28,000.