Cyber Incident Victim: Matthew Clark Bibendum
Date:
Apr 2021
Location:
United Kingdom
Summary
A UK-based alcoholic and soft drink distributor subsidiary experienced a cybersecurity incident, prompting an immediate shutdown of all IT systems in accordance with its response plan. The parent company confirmed the incident impacted subsidiary operations but not its own systems, with forensic IT experts and legal counsel engaged to investigate and restore services. Due to existing reduced operational volumes from pandemic restrictions, the subsidiary temporarily supported customers and suppliers through manual processes while working to resolve the disruption. Relevant authorities, including data protection officials, were notified alongside direct communications to affected customers and suppliers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 16, 2021, Matthew Clark Bibendum (MCB), a UK and Ireland beverage distributor and subsidiary of C&C Group, detected a cybersecurity incident impacting its Matthew Clark and Bibendum business units. The company immediately activated its predefined cybersecurity response plan, which included the precautionary shutdown of all IT systems to contain the threat. MCB engaged a leading forensic IT firm and legal counsel to investigate the incident’s scope and origin while working to restore systems safely. Operations transitioned to manual processes to maintain limited customer and supplier support during the disruption. The parent company, C&C Group, confirmed the incident was isolated to MCB’s infrastructure, with no impact on its own IT systems, which continued normal operations.
The incident occurred amid reduced business volumes due to COVID-19 restrictions, which mitigated some operational strain. MCB prioritized manual order processing and communications to minimize service interruptions while systems remained offline. The company formally notified affected customers, suppliers, and regulatory authorities, including the UK Information Commissioner’s Office, aligning with breach disclosure obligations. No specifics regarding data compromise, attack vectors, or threat actors were disclosed publicly. C&C Group stated that further updates would follow only if warranted, indicating a controlled remediation process. Restoration efforts focused on methodical system validation to prevent residual risks upon reactivation.