Coca-Cola's Fairlife Halts US Production After Ransomware Attack

A ransomware attack on Coca-Cola's Fairlife dairy subsidiary has forced a complete suspension of US production, with the company unable to say when operations will resume.

Omar Al-Hakeem
Senior Cyber Threat Analyst | MENA Region4 min read
Industrial dairy production line representing a ransomware attack halting manufacturing operations

Industrial dairy production line representing a ransomware attack halting manufacturing operations

Coca-Cola has confirmed that a ransomware attack on its Fairlife dairy subsidiary has forced the company to suspend all production operations across the United States, with no timeline given for when manufacturing will resume.

What Coca-Cola has confirmed

In a filing with the US Securities and Exchange Commission, Coca-Cola said Fairlife identified unauthorized access by a third party to a portion of its systems, including its production related systems, in connection with a ransomware event. After detecting the issue, the company activated its incident response and business continuity protocols, notified law enforcement, and engaged outside advisors and cybersecurity experts to assess the scope and impact of the incident. As a result of the disruption, production operations at Fairlife's facilities in the United States are temporarily suspended, while production in Canada continues unaffected. Coca-Cola said product quality and safety have not been impacted, and that it has not yet determined whether the incident is reasonably likely to have a material effect on the company.

A billion dollar brand goes dark

Fairlife, a Chicago based dairy company wholly owned by Coca-Cola since 2020, produces ultra filtered milk, protein shakes, and other nutrition drinks built around a specialised filtering process that reduces sugar and lactose while boosting protein content. The brand has become one of Coca-Cola's fastest growing dairy properties, with sales estimated at around 4 billion dollars, and it played a significant role in the broader high protein product trend that accelerated alongside the rise of GLP-1 medications. That scale is precisely what makes a full production halt consequential rather than a minor operational hiccup. This is not a company quietly patching a server. It is a nationally distributed consumer brand with its entire US manufacturing footprint offline at once.

Ransomware against food and beverage production has a track record of dragging on

Coca-Cola has not said when Fairlife's systems will be restored, and history suggests that timeline matters could stretch well beyond an initial estimate. Ransomware attacks against food and beverage manufacturers have previously caused multi week disruptions rather than quick recoveries. Arizona Beverages was knocked offline for an extended period following a 2019 ransomware attack, and grocery distributor UNFI suffered weeks of disrupted production and empty shelves after a cyberattack in 2025. Once ransomware reaches production adjacent systems rather than purely administrative ones, restoring operations safely typically means rebuilding trust in operational technology from the ground up, not simply restoring from a backup and resuming as normal.

Why production systems are the harder problem

Operational technology environments cannot simply be patched and rebooted the way a corporate laptop can. Bringing a contaminated manufacturing environment back online safely requires verifying that industrial control systems, batching equipment, and packaging lines have not themselves been compromised or tampered with, a process that takes considerably longer than restoring email or file servers. That distinction between IT and OT recovery timelines is central to why critical infrastructure remains the GCC's most exposed attack surface, where the same gap between administrative systems and production floor systems shows up repeatedly.

A pattern GCC manufacturers should not treat as distant

Food and beverage manufacturing, along with other consumer goods production, is exactly the kind of just in time, brand sensitive operation increasingly common across Gulf industrial and logistics hubs. An attack that halts a household name's production line for weeks is a direct illustration of business interruption risk, not merely a cybersecurity abstraction. Enterprises across the region running production, packaging, or logistics operations dependent on continuous system uptime should treat this incident as a concrete reference point when making the case internally for OT specific incident response planning, rather than folding manufacturing environments into a generic IT recovery plan, particularly given how consistently Gulf enterprises have overestimated their own ransomware readiness once actual incident data is examined.

What is still unknown

Coca-Cola has not disclosed the ransomware group responsible, how attackers first gained access, or what data, if any, was exfiltrated before encryption. The company's SEC filing leaves open the possibility of a material financial impact pending further investigation. Given the scale of Fairlife's US production footprint and the precedent set by comparable incidents in the sector, this is a story likely to develop over the coming days rather than resolve quickly, and MENA Cyber Wire will update this report as further details emerge.

Omar Al-Hakeem

Senior Cyber Threat Analyst | MENA Region

Omar Al-Hakeem is a cybersecurity researcher specializing in threat intelligence, ransomware trends, and nation-state activity across the Middle East and North Africa. With over 12 years of experience in SOC operations and incident response, he provides deep technical breakdowns of emerging attacks and regional cyber risks. At MENA Cyber Wire, Omar focuses on real-world threat analysis and actionable defense strategies for enterprises and startups.

Intelligence Focus Areas

Threat IntelligenceRansomware Trends