Cyber Incident Victim: Fairlife
Date:
Jul 2026
Location:
United States of America
Summary
Fairlife, a dairy subsidiary of Coca-Cola, was hit by a ransomware attack that led the company to suspend its United States operations after discovering unauthorized third‑party access to parts of its systems, including those tied to production. The firm described the incident as a ransomware event, engaged external cybersecurity experts, notified authorities, and stated that product quality and safety were not affected while Canadian production continued. The full scope and potential material impact remain under investigation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On July 16, 2026, Coca-Cola discovered that an unauthorized third party had gained entry to part of Fairlife's systems, including systems related to production, as disclosed in an SEC filing. The company characterized the incident as a ransomware event and subsequently suspended Fairlife's operations in the United States. Fairlife's production facilities in Canada continued to operate without interruption. The discovery prompted the company to initiate an internal investigation and to seek external cybersecurity assistance.

Coca-Cola engaged external cybersecurity experts to assist with the investigation and remediation efforts, and it notified relevant authorities about the breach. In the SEC filing, the company stated that product quality and safety were not impacted by the incident. The filing also noted that the full scope, nature, and impacts of the incident were not yet known, and that Coca-Cola had not yet determined whether the incident was reasonably likely to materially affect the company.
Fairlife reported approximately $4 billion in sales for the fiscal year 2024, as referenced in the filing. At the time of the disclosure, the company indicated that it was working to secure its systems and restore normal operations, but it had not provided a timeline for when US operations would resume. The incident remained under investigation, with no further details about the attackers or the ransom demand disclosed.
