The Coca-Cola Company has disclosed that a ransomware attack against its Fairlife dairy subsidiary disrupted operations badly enough to halt production at Fairlife’s facilities across the United States.

In a Form 8-K filed with the U.S. Securities and Exchange Commission, Coca-Cola said Fairlife detected unauthorized access to some of its systems, including those tied to production, in connection with the ransomware incident. The company stated it “promptly activated its incident response and business continuity protocols” after discovering the intrusion and has notified law enforcement.

Coca-Cola said its investigation, being conducted with outside advisors and cybersecurity experts, is ongoing and that the full scope of the incident has not yet been determined. As a result, the company has not concluded whether the attack is reasonably likely to have a material impact on its business.

What is known so far

  • Production at Fairlife’s U.S. facilities has been temporarily suspended while systems are restored
  • Canadian production operations are not currently affected
  • Coca-Cola says product quality and safety have not been compromised
  • No ransomware group has publicly claimed responsibility
  • It is not yet known whether data was stolen or whether an extortion demand has been made

Fairlife makes ultra-filtered dairy products including Ultra-Filtered Milk, Core Power protein shakes, and Nutrition Plan drinks, sold throughout the United States. When contacted for additional details on the responsible threat actor, potential data theft, or extortion demands, a Coca-Cola spokesperson said the company had nothing further to add beyond its public filing.

Ransomware groups frequently exfiltrate data before deploying encryption, using the threat of publishing stolen files as additional leverage even after operational disruption is resolved. Given the lack of a claim or confirmed data theft at this stage, it remains possible that details will emerge in the coming days if attackers begin extortion negotiations or list the company on a leak site.

The incident adds to a growing list of ransomware attacks disrupting manufacturing and production environments, where operational technology outages can have immediate real-world supply chain consequences beyond typical IT downtime.