Krispy Kreme: Over 160,000 people had data stolen during November 2024 cyberattack

Krispy Kreme began sending out breach notification documents to thousands of victims this week after a cyberattack in November exposed troves of data. 

The North Carolina-based doughnut giant reported the data breach to regulators in Maine, Texas, Vermont, South Carolina and Massachusetts, writing that they finished a months-long investigation on May 22 in which they determined that personal information was stolen from 161,676 people. 

A Krispy Kreme spokesperson said the “vast majority of those affected are Krispy Kreme employees, members of their families, and former employees.”

The data stolen includes Social Security numbers, driver’s licenses, financial account numbers and login information, debit card or credit card numbers with security codes, passport numbers, digital signatures, biometric data, USCIS or Alien Registration Numbers, military ID numbers, health insurance information and more. 

In November, Krispy Kreme warned the Securities and Exchange Commission (SEC) that it discovered “unauthorized activity” on portions of its IT system. The cyberattack disrupted the company’s online ordering system and caused operational disruptions at dozens of stores across the U.S.

Krispy Kreme acknowledged at the time that the incident was “likely to have a material impact on the Company’s business operations until recovery efforts are completed,” noting that this is due to the “loss of revenues from digital sales during the recovery period, fees for our cybersecurity experts and other advisors, and costs to restore any impacted systems.”

In its earnings report in May, Krispy Kreme estimated that it suffered $5 million in losses related to the cyberattack. About $4.4 million was spent to remediate the attack and pay for cybersecurity experts, according to the earnings report.

“Our online ordering, retail shops, and core business functions are now fully operational. However, we continued to incur costs in the beginning of the first quarter of fiscal 2025 related to the 2024 Cybersecurity Incident,” the company said in May, noting that cyber insurance may “offset a portion of the losses and costs from the incident.”

Krispy Kreme is one of the largest doughnut companies in the world, reporting $375.2 million in revenue last quarter through its operations in more than 40 countries. 

The attack was claimed in December by the Play ransomware gang. The FBI and several international law enforcement agencies warned that Play is one of the most damaging ransomware gangs operating, launching a total of 900 attacks on organizations since emerging in 2022. 

The FBI said Play “was among the most active ransomware groups in 2024.”