Skip to content

Cyberattack halts U.S. production at Coca-Cola’s fairlife dairy business

Coca-Cola said product safety was unaffected as it suspended U.S. production while responding to a ransomware attack.

Sign at the employee entrance to Fairlife’s production and distribution facility in Goodyear, Arizona, with the manufacturing complex visible in the background.
A sign marks the employee entrance to Fairlife’s production facility in Goodyear, Arizona. Coca-Cola suspended U.S. production at its Fairlife dairy business following a ransomware incident in July 2026. (Stellar)

Coca-Cola’s fairlife dairy business suspended U.S. production Thursday after detecting unauthorized access connected to a ransomware incident. The company said product quality and safety were unaffected.

The company operates U.S. production facilities in Coopersville, Michigan; Goodyear, Arizona; and Webster, New York. Coca-Cola said production across the United States had been suspended while restoration work continued.

The Chicago-based company produces fairlife ultra-filtered milk, Core Power protein shakes and Nutrition Plan shakes. fairlife, LLC, is a wholly owned subsidiary of The Coca-Cola Co.

In a filing with the Securities and Exchange Commission, Coca-Cola said fairlife “identified unauthorized access by a third party to a portion of its systems,” including production-related systems, in connection with a ransomware event.

Coca-Cola said it activated its incident response and business continuity protocols and brought in outside advisers and cybersecurity experts. The company also notified law enforcement.

Canadian production for fairlife remained operational. Coca-Cola said it was working to complete the investigation and restore affected systems and operations.

The disruption follows a June 2025 cyberattack on United Natural Foods that interfered with grocery ordering and distribution before the wholesaler restored its core systems.

Chip in once
If this reporting helped you, a one-time tip helps cover hosting, tools and future investigations.

Tip us

Support us monthly
A small monthly pledge keeps independent coverage and our reader tools online for everyone.

Become a Supporter

The full scope, nature and impact remained under investigation. Coca-Cola did not identify which U.S. facilities or systems were directly compromised, when the intrusion began or when it was detected. The company also did not provide a timeline for restarting U.S. production or say whether the disruption could affect product availability.

Coca-Cola did not say whether the affected production-related systems included operational technology used to run manufacturing equipment or were limited to business information technology systems that support production.

The company has not disclosed whether data was stolen, files were encrypted or a ransom demand was received. Coca-Cola also had not determined whether the incident was reasonably likely to materially affect the company.

No ransomware group had publicly claimed responsibility as of publication, and Coca-Cola had not attributed the incident to a group or individual. The filing described the intruder only as an unauthorized third party.

The company did not respond to a request for comment by publication time.

Attribution note: DysruptionHub credits upstream reporting and primary sources—see citations above. If this report informed your coverage, please cite DysruptionHub with a link.
DysruptionHub Staff

DysruptionHub Staff

A collaborative project to bring you the latest cyberattacks impacting the availability of services and goods in the United States.

All articles

More in Private Sector

See all

More from DysruptionHub Staff

See all