Pepsi Bottling Ventures (PBV) has disclosed a breach of its network that resulted in the theft of employees' sensitive personal and financial information.
The company made the announcement in an email sent to consumers (and in a notice filed with the attorney general of Montana) on February 10.
According to the document, the company learned about the breach on January 10, discovering unauthorized access and connecting a deployment of info-stealing malware that occurred in December last year.
"Based on our preliminary investigation, an unknown party accessed those systems on or around December 23, 2022, installed malware, and downloaded certain information contained on the accessed IT systems," reads the letter.
According to Ryan McConechy, senior consultant at Barrier Networks, the delay in notifying affected customers left data potentially open to compromise and systems susceptible to reconnaissance.
"What is most concerning about this incident is the long time gap [...] between the cyber-attack taking place and Pepsi Bottling Ventures identifying it," McConechy told Infosecurity in an email. "This essentially means the criminals had almost three weeks of access to the data without anyone even knowing it had been compromised."
PBV confirmed that impacted information includes former and current employees' names, home and email addresses, financial account information, government-issued identification numbers, digital signatures and information related to benefits and employment, including medical information.
"Any person or organizations impacted by this incident must be on alert of attack vectors such as identity and financial fraud, amongst others, and should take up the offer of free credit monitoring in an effort to better protect themselves from nefarious activity," warned High Ground CEO Mark Lamb.
In the letter to potentially impacted employees, Pepsi Bottling Ventures said it is offering them a year of free identity monitoring services through Kroll, which includes credit monitoring, fraud loss management and identity theft restoration.
The PBV letter comes weeks after Five Guys disclosed a similar breach that also affected employees' data.