Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
US doughnut giant Krispy Kreme has disclosed that the cyber attack it suffered late last year affected over 160,000 people, leading to the compromise of personal and financial data.
In November 2024, Krispy Kreme revealed that it had detected “unauthorised activity” on its systems, leading to operational disruptions. While no threat group initially took responsibility for the incident, the Play ransomware group claimed the cyber attack in December.
Now, following a month-long investigation that ended on 22 May, Krispy Kreme has determined that 161,676 people were affected in the incident and has begun informing victims.
“On November 29, 2024, Krispy Kreme Doughnut Corporation (‘Krispy Kreme’) was notified regarding unauthorised activity on a portion of its information technology systems. Upon learning of the unauthorised activity, we immediately began taking steps to investigate, contain, and remediate the incident with the assistance of leading cyber security experts,” Krispy Kreme wrote in a letter to those affected.
“On May 22, 2025, we determined that certain of your personal information was impacted by this incident. There is no evidence that your information has been misused, and we are not aware of any reports of identity theft or fraud as a direct result of this incident. This notification has not been delayed as the result of a law enforcement investigation.”
According to Krispy Kreme, data affected in the breach includes financial account numbers and login data, debit card/credit card numbers with security codes, driver’s licenses, passport numbers, Social Security numbers, biometric data, digital signatures, health insurance information, military ID numbers, USCIS or Alien Registration Numbers and more.
A spokesperson for Krispy Kreme has said that the “vast majority of those affected are Krispy Kreme employees, members of their families, and former employees”, which the types of data listed above suggest.
At the time of the breach in November, Krispy Kreme said it expected to see financial losses as a result of the incident.
“As of the date of this filing, the incident has had and is reasonably likely to have a material impact on the company’s business operations until recovery efforts are completed,” the company said at the time.
“The expected costs related to the incident, including the loss of revenues from digital sales during the recovery period, fees for our cyber security experts and other advisors, and costs to restore any impacted systems, are reasonably likely to have a material impact on the company’s results of operations and financial condition.”
In its May 2025 earnings report, Krispy Kreme said it estimated a US$5 million loss as a result of the cyber attack, with about US$4.4 million spent on cyber security experts and remediation costs.
“Our online ordering, retail shops, and core business functions are now fully operational. However, we continued to incur costs in the beginning of the first quarter of fiscal 2025 related to the 2024 cyber security Incident,” it said.
In both its May earnings report and at the time of the cyber attack in November, Krispy Kreme said its cyber insurance coverage would partially cover its expenses.
Be the first to hear the latest developments in the cyber industry.
