Ransomware Attack Halts Fairlife Milk Production Across the US
Coca-Cola told the SEC that hackers broke into its Fairlife dairy subsidiary, forcing the company to stop making protein shakes and ultra-filtered milk at its American plants.

Key points
- Coca-Cola disclosed in an SEC Form 8-K filing on the day of disclosure that a ransomware attack hit its Fairlife dairy subsidiary.
- Fairlife has temporarily suspended production at all of its US facilities while it restores affected systems.
- Canadian production is not affected, and Coca-Cola says product quality and safety are intact.
- No ransomware gang has claimed the attack, and Coca-Cola has not said whether customer or employee data was stolen.
- The US Securities and Exchange Commission requires public companies to disclose material cyber incidents within four business days.
Coca-Cola has told regulators that a ransomware attack, meaning malicious software that locks a company's files until it pays a ransom, has forced its Fairlife dairy subsidiary to stop making products across the United States.
The disclosure came in a Form 8-K filing with the US Securities and Exchange Commission. Coca-Cola said Fairlife detected unauthorised access to some of its systems, including those tied to production.
The attack was first reported by BleepingComputer.
Fairlife is the Coca-Cola brand behind Core Power protein shakes, Fairlife Ultra-Filtered Milk, and the Nutrition Plan line. If you have bought any of these in the last week, they are safe. Coca-Cola stated in the filing that product quality and safety have not been affected.
What has stopped is the making of new stock.
What actually happened to Fairlife?
Criminals broke into Fairlife's computer systems, including the ones that run the factories. Once ransomware takes hold, the usual pattern is that files get scrambled and machines refuse to boot until IT staff either restore from backups or the company pays for a decryption key.
Coca-Cola said it "promptly activated its incident response and business continuity protocols" after spotting the intrusion. It has brought in outside cybersecurity experts and notified law enforcement.
Production lines at Fairlife's US plants are down while engineers rebuild. Canadian operations are still running.
Coca-Cola has not said how the hackers got in, when the intrusion began, or how long the shutdown will last. It also has not confirmed whether any files were stolen before the ransomware fired, which is now the standard playbook: steal first, encrypt second, extort twice.
Was any customer data stolen?
Coca-Cola has not said. No ransomware group has publicly claimed the attack, and there is no leak-site listing so far.
That could change. Most modern ransomware crews wait days or weeks before naming a victim on their extortion blog, using that window to squeeze the company privately. If Fairlife holds employee records, supplier contracts, or loyalty programme data, any of it could surface later.
The company said in its filing that it has not yet determined whether the attack is "reasonably likely to materially affect" its business. Under SEC rules brought in for cyber incident disclosure in 2023, US-listed companies must file an 8-K within four business days of deciding an incident is material.
What should shoppers and Fairlife staff do?
For shoppers, very little. Existing stock is safe to drink. You may see gaps on shelves for Core Power and Fairlife milk over the coming weeks as inventory runs down.
For Fairlife employees, past and present, watch your inbox. If the hackers took HR files, phishing emails, meaning fake messages designed to trick you into handing over passwords or bank details, tend to follow within weeks. Treat any urgent "HR update" or "payroll verification" message with suspicion, and confirm through a known internal channel before clicking.
Anyone who has bought from Fairlife directly through a loyalty or subscription programme should keep an eye on the email address they used, and consider changing the password if it was reused elsewhere.
Coca-Cola says its investigation is ongoing.



