Jul 18, 2026
Policy

Ransomware halts US production at Coca-Cola’s Fairlife unit

Coca-Cola said Fairlife paused US plant operations after a ransomware incident affected some production-related systems.

Dominic Okoye

By Dominic Okoye · Staff Writer

· 3 min read

Ransomware halts US production at Coca-Cola’s Fairlife unit
Photo: The Register

Coca-Cola’s Fairlife dairy business has stopped production at its US plants after a ransomware incident hit systems tied to manufacturing, according to a Thursday securities filing by Coca-Cola. The disruption matters beyond one consumer brand because it shows ransomware continuing to reach production environments, where the line between corporate IT outages and plant-floor disruption can determine how quickly a company can recover.

Coca-Cola said Fairlife found that a third party had gained unauthorized access to part of its technology environment, including systems connected to production. The company described the incident as ransomware and said Fairlife activated incident response and business continuity procedures, hired external cybersecurity specialists and contacted law enforcement.

Fairlife’s US facilities are offline while the company investigates and works to bring affected systems back. Coca-Cola said Fairlife’s Canadian operations remain in production. The company did not say how many US facilities were affected or when domestic production is expected to restart.

Fairlife, which Coca-Cola fully acquired in 2020, sells ultra-filtered milk and Core Power protein shakes. Coca-Cola said product quality and safety have not been affected by the incident. That statement addresses finished goods and consumer risk, but it does not answer the operational question most relevant to manufacturers: whether the ransomware touched the industrial control systems used to run plants, or whether Fairlife stopped production because related business systems were taken offline during containment.

The filing does not provide technical indicators, identify the attacker or say whether any company, customer or employee data was taken. Coca-Cola also said it has not yet determined whether the incident is reasonably likely to have a material impact on the company.

That phrasing leaves the financial scope open. Coca-Cola did not disclose lost production volume, expected downtime, recovery costs, insurance coverage or whether it has received a ransom demand. For a company of Coca-Cola’s scale, a subsidiary-level manufacturing stoppage may not automatically become material to the parent company. For Fairlife’s supply chain and retail partners, the length of the outage is the more immediate issue.

The Register reported that it asked Coca-Cola how many Fairlife sites were affected, whether customer or employee information was compromised, whether operational technology was directly affected and when US production would resume. The publication said it did not receive an immediate response.

No ransomware group had publicly claimed responsibility at the time of that report. Public claims can appear later if ransom talks fail or attackers try to increase pressure, but Coca-Cola has not named a group or confirmed any negotiation.

The disclosure fits a pattern in which ransomware incidents are reported with enough detail to satisfy investors that a response is underway, while leaving the most consequential operating details unanswered. For technology and security teams in manufacturing, the missing information is the story: whether the shutdown reflects a direct hit to plant systems or a precautionary stop after enterprise systems were compromised.

This story draws on original reporting from The Register.

More from Policy

All Policy →