A ransomware attack has suspended all U.S. production at fairlife, the Coca-Cola-owned dairy brand behind high-protein milk and protein shakes, after an unauthorized third party gained access to a portion of the company’s systems, including systems tied directly to manufacturing.
Product quality and safety have not been affected, the company said in a Form 8-K filed with the U.S. Securities and Exchange Commission on Thursday.
Coca-Cola confirmed the incident in a same-day release, saying fairlife identified the unauthorized access “in connection with a ransomware event”. Production operations at fairlife’s U.S. plants, located in Michigan, New York and Arizona, are temporarily suspended. The brand’s Canadian operations are not currently affected, according to the Coca-Cola Company.
It’s unclear if the shutdowns are tied to an IT lockout (email, file shares, business systems) or OT (the systems that run physical equipment on a factory floor).
The company said activated incident response and business continuity protocols have immediately been triggered and outside advisors and cybersecurity experts are currently evaluating the attack.
The company has not disclosed which systems were affected beyond describing them as “production-related” or how long the shutdown is expected to last. Also unknown is whether the unauthorized access extended to networks that control physical equipment on the plant floor.
As of this report, no ransomware group had claimed responsibility for the attack and Coca-Cola has not said whether the attackers stole data or issued an extortion demand.
“The full scope, nature and impacts of the incident are not yet known,” the company said in its SEC filing, adding it has not yet determined whether the incident is reasonably likely to have a material effect on the business.
The incident adds fairlife to a growing list of major U.S. companies reporting cyber incidents this year. In February, a ransomware attack on the University of Mississippi Medical Center forced the closure of all 35 of its clinic locations statewide and knocked out its electronic medical records system, pushing clinicians to pen and paper. In May, Taiwan-based Foxconn confirmed a ransomware attack on its North American factories after the Nitrogen group claimed to have stolen 8 terabytes of data tied to major technology clients. And in June, the pharmaceutical maker Novo Nordisk confirmed unauthorized access to internal systems after the extortion group FulcrumSec claimed it stole 1.3 terabytes of data and demanded a $25 million ransom.
Coca-Cola has not said how attackers gained access. Sophos reported earlier this week that so far in 2026 that 79% of ransomware attacks started with a compromised identity rather than a software flaw. It also found that manufacturing victims paid the ransom in 43% of encrypted-data cases.
Separately, Check Point reported earlier this year in its ‘Manufacturing Threat Landscape 2026’ report, global ransomware incidents surged 32% year-over-year, reaching 7,419 documented cases, while attacks specifically targeting manufacturing rose 56%, increasing from 937 in 2024 to 1,466 incidents in 2025.
fairlife’s shutdown fits a pattern SPB has tracked this year where attackers increasingly hit companies where operational disruption, not just data theft, is the leverage. Coca-Cola disclosing before confirming data loss, following weeks after FulcrumSec’s extortion campaign against Novo Nordisk.