Back to all articles
M&A, Investment & Valuation18 JUL 2026Β·Akos Petri, MScΒ·4 min read

Coca-Cola Halted Its $6 Billion Fairlife Milk Brand After a Ransomware Attack. Food Manufacturing's Cyber Reckoning Has Arrived

Coca-Cola has suspended all US production at Fairlife, its $6bn protein-milk brand, after a ransomware attack reached the systems that run its plants. Here is why the factory floor has become food and beverage's most expensive cyber blind spot, and what operators, investors and buyers should do about it.

Coca-Cola Halted Its $6 Billion Fairlife Milk Brand After a Ransomware Attack. Food Manufacturing's Cyber Reckoning Has Arrived

Coca-Cola paid a $6.1bn earnout for Fairlife in early 2025. Eighteen months later, a ransomware crew switched the brand's entire US production off in a single afternoon.

On 16 July, Coca-Cola said it found unauthorised access to part of its network, including the systems that run Fairlife's plants. It suspended US production while it investigates. Canada is still running. The company says product quality and safety are fine, that it has brought in outside cyber experts, and that it has told law enforcement. It also said the full scope of the attack is not yet known.

No ransomware group has claimed the hit. Coca-Cola has not said whether data was stolen or whether it is being asked to pay. The point for the rest of the industry is simpler: an attacker reached the factory floor, and the factory stopped.

Why Fairlife is a bad brand to lose

Fairlife is no side project. It makes ultra-filtered milk, the Yup flavoured range, and Core Power protein shakes. It is one of Coca-Cola's fastest-growing brands and passed $1bn in annual retail sales years ago. Protein is the hottest thing in the chiller right now, and Fairlife sits in the middle of it.

Coca-Cola knows what it is worth. It took full ownership in 2020, then paid that $6.1bn earnout in early 2025 as sales flew past the targets. In March 2026 it committed another $650m to add production lines at its Coopersville plant in Michigan, with a new site in New York state due to start this year. A company does not spend like that on a brand it can afford to leave offline.

The factory floor is the new target

For years, cyber risk in food meant stolen email and leaked customer data. That has changed. Attackers now go after the operational systems that run the machines, because a stopped plant creates the most pressure to pay fast.

We have seen this before. In 2021, a ransomware attack shut JBS meat plants across the US, Canada and Australia, and the meat giant paid an $11m ransom to get moving again. A Japanese food group was hit by a separate cyberattack the same week as Fairlife. Each of these hits followed the same logic: stop the line, and the clock starts working for the attacker. Food and drink makers have become prime targets, because their plants are perishable and hard to run by hand.

The ransom is the small number

The cheque to the hackers is rarely the real cost. The damage is the lost output and the empty shelves it leaves behind, as shoppers grab a rival tub because the usual one is missing.

Fairlife is chilled and dated, so lost days cannot be clawed back later the way a can of soda can. In a category growing this fast, a two-week gap on shelf is an open invitation for every protein rival to take the space. The longer the US lines stay down, the more that hidden cost climbs past anything a ransom would have been.

What buyers and boards should take from this

Three things change after an attack like this one. Cyber stops being an IT line item and becomes a board-level operational risk, sitting next to supply and commodity cost. Buyers and private equity start pricing plant security into deals, because a target with weak factory systems carries a hidden liability. And resilience spending, from backup capacity to tested recovery plans, starts to look like normal capex.

Coca-Cola will get Fairlife back. It has the cash and the expertise to recover. The lasting lesson is that the most valuable brand in your portfolio is only as strong as the software running its production line. The companies that treat that as a strategic exposure will be the ones still shipping when the next attack lands.

Strategic Insights


πŸ“Š Analytics & Strategic Insight

Cybersecurity has quietly become a supply-chain and M&A risk, and most food boards still treat it as an IT problem

The decision most in this industry are avoiding:

πŸ‘‰ The stopped production line is the real exposure here. A leaked customer file is embarrassing; a frozen line empties shelves and hands share to rivals in days.

πŸ‘‰ Your best brand is your most fragile one. The faster a brand grows, the more it runs on tightly linked, automated plants with almost no slack, so an outage there costs the most.

πŸ‘‰ The ransom is a rounding error next to the lost sales. Boards plan for the payment and ignore the downtime, which is where the real money goes.

Here's the full context:

β†’ 2012: Fairlife is founded by Mike and Sue McCloskey through a partnership with Coca-Cola and dairy co-op Select Milk Producers.

β†’ 2020: Coca-Cola takes full ownership of Fairlife, betting on ultra-filtered milk and Core Power protein shakes as protein demand climbs.

β†’ 2021: A ransomware attack shuts JBS meat plants across three continents; JBS pays an $11m ransom. The food sector's factory-floor risk is out in the open.

β†’ March 2026: Coca-Cola commits another $650m to expand Fairlife production, after a $6.1bn earnout in early 2025 confirmed it as a crown-jewel brand.

β†’ Most recent: On 16 July 2026, a ransomware attack forces Coca-Cola to suspend all US Fairlife production; Canada keeps running and the full scope is still unknown.

What this means for food and beverage operators and investors:

βœ… Treat cyber as an operational risk, not an IT cost. It belongs on the same board dashboard as commodity price and supply security.

βœ… Price plant security into every deal. A target with weak factory systems carries a hidden liability that shows up the first time a line goes down.

βœ… Resilience is now capex. Backup capacity and tested recovery plans protect revenue the same way a second supplier protects a commodity.

3 moves you can make this week:

1️⃣ Map your single points of failure. List the brands and SKUs that depend on one plant or one system, and rank them by revenue at risk.

2️⃣ Pressure-test one plant going dark. Run a tabletop exercise: if this site stopped today, how long until shelves empty and who takes the space?

3️⃣ Add cyber to your deal checklist. Before you buy or invest, review a target's factory-system security the way you review its balance sheet.


Take the Next Step

🧭 Facing a decision like this in your own category?
Describe it in a few lines. Selected enquiries receive an initial strategic assessment: direction, likely scope and indicative investment range.
β†’ Start a project enquiry

Zenith Consulting

Submit your food & beverage project enquiry.

Share your requirements. If there is a strong fit, we’ll come back with an indicative investment range, project timeline and recommended strategic approach.

Reviewed by Zenith Consulting’s senior food & beverage strategy team.

Submit your project enquiry

Share it with your peers

Pass this analysis to colleagues who track the food and beverage market.

Zenith Market Intel

Need a specific food or beverage market report?

Tell us which category, region or question would be useful for your team.

Sister Publication

Also follow our Water Dispense Market Intelligence

Category analyses, operator briefings, and investor signals across the global water dispense market.

Visit