Coca-Cola halts Fairlife US production after ransomware
Coca-Cola disclosed a Fairlife ransomware attack via SEC 8-K on July 16. US dairy production suspended, Canada unaffected. No group has claimed it.
Confirmed: The Coca-Cola Company disclosed a ransomware attack on its Fairlife dairy subsidiary in a Form 8-K filed with the SEC on July 16, 2026. US Fairlife production is temporarily suspended. Canadian operations are not affected, per the filing. Confidence on the disclosure itself: as-reported by Coca-Cola in the 8-K.
The company notified law enforcement and engaged outside advisors. No ransomware crew has claimed responsibility at the time of writing. Whether the intrusion is tied to a known operator: not stated — treat accordingly.
What the filing says
Coca-Cola’s own words, from the 8-K:
“After detecting the issue, the Company promptly activated its incident response and business continuity protocols.”
The 8-K places the unauthorized access inside “production-related systems” at Fairlife. It does not name a specific plant, line, or piece of equipment. It does not disclose when the intrusion began, when it was detected, or how long the operator had access before Coca-Cola noticed. Timeline detail: not provided.
The filing also states that product quality and safety have not been affected. That is the company’s assessment, not an independent audit.
What is not confirmed
- Data theft. The 8-K does not say whether files were exfiltrated. No leak-site posting exists at the time of writing. Unconfirmed.
- Ransom demand. No extortion note or payment demand has been disclosed. Not stated.
- Attribution. No group named. No initial-access vector named. No malware family named. Not disclosed.
- How long US production stays down. The 8-K uses “temporarily” without a projected restart date. Open.
Any post that appears on a leak site in the coming days should be treated as one data point about the operator, not as verification of the scope — leak-site claims routinely inflate what was taken.
Where this sits
This is the second disclosed food-and-beverage ransomware event this quarter and the first named brand at Coca-Cola’s scale. It arrives in a week that already produced Symantec’s Spirals writeup — sub-24-hour full-network encryption from an IIS foothold and continued fallout from the Media Land bulletproof-hosting indictment naming LockBit, BlackSuit, and Play affiliates. Neither ties directly to Fairlife on current evidence — but the operational tempo across those disclosures is the context this one lands in.
Manufacturing operators watching this: the pattern that has held all quarter is that an OT-adjacent IT intrusion is enough to halt a production line without the operator ever needing to touch the plant floor. Coca-Cola’s own framing — “production-related systems” suspended, product safety unaffected — is consistent with an IT-side compromise forcing a defensive shutdown, not a controls-network attack. That distinction matters for lessons-learned; it does not change the outcome, which is that a US Fairlife line is dark today.
What to watch
- A leak-site claim. If one appears, the naming and the sample selection are the two data points worth reading — everything else is noise until the sample can be checked against the company’s own records.
- A restated 8-K or an 8-K/A. Material scope changes (data theft confirmed, ransom demanded, restart timeline slipping) trigger amended filings; those are the definitive record, not press coverage.
- CISA advisory activity. No CISA guidance is out on this incident at time of writing. If one lands with an initial-access vector or a family named, that changes what the rest of the sector should be doing about it.
Confidence on everything above the “what to watch” line: as-reported by Coca-Cola’s 8-K and BleepingComputer’s summary of it. Everything else: unconfirmed — treat accordingly.
Sources
- Coca-Cola Company Form 8-K, filed 2026-07-16 — the primary disclosure.
- BleepingComputer: Coca-Cola says Fairlife ransomware attack halts US dairy production — July 16, 2026.
Found this useful? Share it.


