One-sentence summary:
Pepsi Bottle Ventures (PBV) suffered a data breach in December of last year via a network intrusion that led to the unauthorized disclosure of sensitive PII (personally identifiable information) of at least 7 individuals.
Who was involved?
An adversary, Pepsi Bottle Ventures (PBV) LLC, and potentially seven Montana residents (data victims) (Montana Department of Justice, 2023).
What was the timeline?
The breach started on December 23, 2022, and was discovered by Pepsi on January 10, 2023 (Console, 2023, para. 4; Toulas, 2023, para. 3). The threat actor was revoked access after January 19, 2023, and the intrusion was publicly announced on February 10, 2023 (Console, 2023, para. 1).
What occurred?
A threat actor broke into Pepsi Bottle Ventures’s network, “installed malware,” and exfiltrated data, including the PII of at least 7 Montana residents (Toulas, 2023, para. 1; Pepsi Bottle Ventures, 2023, para. 2; Montana Department of Justice, 2023).
Estimated costs:
Incident response costs, downtime of systems, Kroll identity monitoring for the 7 victims, as well as restoration of affected systems.
Involved laws:
Mont. Code Ann. § 30-14-1704: “Computer security breach. (1) Any person or business that conducts business in Montana and that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the data system following discovery or notification of the breach to any resident of Montana whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person. The disclosure must be made without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection (3), or consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.”
Root cause:
TBA or N/A (see disclaimer)
Lessons learned:
Network security and intrusion detection are critical tasks required on the network edge. Continuous monitoring is also essential in the modern enterprise.
Sources:
Console, R. (2023, February 13). Pepsi Bottling Ventures, LLC Files Notice of Employee Data Breach. JD Supra. Retrieved February 14, 2023, from https://www.jdsupra.com/legalnews/pepsi-bottling-ventures-llc-files-6604280/
Montana Department of Justice. (2023). Reported Data Breach Incidents. Retrieved February 14, 2023, from https://dojmt.gov/consumer/databreach/
Mont. Code Ann. § 30-14-1704 (2015). https://leg.mt.gov/bills/mca/title_0300/chapter_0140/part_0170/section_0040/0300-0140-0170-0040.html
Pepsi Bottle Ventures. (2023). Pepsi Bottle Ventures: Notice of Security Incident. In Montana Department of Justice. Montana Department of Justice. Retrieved February 14, 2023, from https://dojmt.gov/wp-content/uploads/Consumer-Notification-Letter-820.pdf
Toulas, B. (2023, February 13). Pepsi Bottling Ventures suffers data breach after malware attack. BleepingComputer. https://www.bleepingcomputer.com/news/security/pepsi-bottling-ventures-suffers-data-breach-after-malware-attack/