Coca-Cola disclosed a ransomware attack on its Fairlife dairy subsidiary on July 16, 2026, suspending all US production operations indefinitely. The attack hit production-related systems at the Chicago-based company, which reported an estimated $4 billion in annual sales as of 2024, according to TechCrunch. The incident arrives as new industry data shows identity-based intrusions have overtaken software vulnerabilities as the leading ransomware entry point.
Coca-Cola’s Fairlife Shuts US Production After Ransomware Hit
Coca-Cola’s Fairlife subsidiary has halted all US dairy production following a ransomware attack that compromised production-related systems, with no confirmed timeline for restoration. Canadian operations remain unaffected. The company filed an SEC disclosure on July 16 and has engaged outside cybersecurity advisors and notified law enforcement.
In its SEC filing, Coca-Cola said: “After detecting the issue, the Company promptly activated its incident response and business continuity protocols.” The company added that product quality and safety have not been impacted, but stopped short of disclosing how the breach occurred, who was responsible, or whether any ransom demand has been received.
As of publication, SecurityWeek reported that no known ransomware group had claimed responsibility for the attack. Coca-Cola said its investigation into the full scope, nature, and material impact of the incident remains ongoing.
Food and beverage sector ransomware attacks have a documented history of extended disruption. TechCrunch noted that past incidents at Arizona Beverages in 2019 and food distributor UNFI resulted in weeks-long production shutdowns and empty grocery shelves.
Identity Attacks Now Drive More Ransomware Than Exploits
For the first time in three years, software vulnerability exploitation is no longer the leading cause of ransomware attacks — identity compromise has taken its place, according to Sophos’ State of Ransomware 2026 report published July 15. The report surveyed 2,158 IT and cybersecurity leaders across 17 countries, all from organizations hit by ransomware in the past year.
According to Dark Reading’s coverage of the Sophos report, malicious email accounted for 26% of ransomware root causes and phishing for 24% — together comprising half of all entry points. Vulnerability exploitation fell to 18%, down sharply from 32% in the prior year’s data.
Two-thirds of ransomware victims — 67% — said the attack they suffered was also their most significant identity attack of the past year. MFA was deployed in 97% of credential-based attacks but still failed to prevent compromise, underscoring that MFA alone is not a sufficient defense against sophisticated phishing and social engineering.
Sophos advised organizations to “deploy advanced email filtering, implement DMARC/DKIM/SPF protocols, and invest in regular phishing awareness training,
Related news
- What Makes A Compelling Cybersecurity Acquisition In 2026 – Forbes Tech
- Google Bets ‘Agentic Defense’ Strategy Can Outpace Attackers – Dark Reading
Sources
- Identity Attacks Overtake Exploits as Top Ransomware Cause – Dark Reading
- Coca-Cola Suspends US Fairlife Production Due to Ransomware Attack – SecurityWeek
- Third US Security Expert Sentenced to Prison for Helping Ransomware Gang – SecurityWeek
- Coca-Cola suspended production at its Fairlife dairy after a ransomware attack – TechCrunch
- In Other News: Iran Tracks US Military Phones, CrashStealer macOS Malware, CVD Blueprint – SecurityWeek






