Krispy Kreme, America’s favorite donut maker, is facing a class action lawsuit over a November 2024 data breach that exposed the personal information of more than 160,000 employees.
The plaintiff in the case – a former employee of the multinational donut and coffee house chain – is accusing the Krispy Kreme Doughnut Corporation of “its utter failure to protect its employees’ sensitive data.”
A judge signed off on the plaintiff’s legal team on Tuesday.
Attorneys representing North Dakota resident Lily Peace filed the proposed class action lawsuit in North Carolina’s Western District Court on June 21st, 2025 –just days after the company sent a breach notification letter out to those impacted by the cyberattack, said to be “mostly employees, members of their families, and former employees."
“On or about November 29, 2024, Krispy Kreme became aware of unauthorized activity on its network systems, causing the wrongful exposure of 161,676 individuals’ Private Information stored therein,” the court documents said.
The 46-page class action suit went on to say the donut maker not only “failed to adequately protect” Peace and the other 57,412 class members’ private data, but also “failed to even encrypt or redact the highly sensitive information.”
Massive amounts of employee data accessed
The PII or personally identifiable information (of both current and former employees), said to have been left unprotected, includes:
- Name, address, email address,
- Social Security numbers, dates of birth
- Driver’s licenses, state ID numbers, US military ID numbers
- Passport numbers, USCIS or Alien Registration Number,
- Financial account information, including username and passwords
- Credit/debit card information with account security codes,
- Digital signatures and biometric data
The court filing states that protected health information (PHI), including medical, health, and health insurance information, was also left exposed.
Play ransomware gang claims responsiblity
About three weeks after the November breach, the Play ransomware gang claimed responsibility and promised to release the stolen data on December 21st, 2024. Whether they did or not is unclear.
At the time, Krispy Kreme filed with the US Securities and Exchange Commission, stating that certain business operations had been disrupted and that its online ordering systems were expected to remain offline until recovery efforts were made.
The hack became public knowledge almost immediately following the Play ransomware group's claims that they were the ones to breach the chain. However, breach notification letters were sent out only half a year later and still lack essential details.
A Krispy Kreme spokesperson had told Cybernews at the time, that in-person ordering was unaffected and that all 1400 stand-alone doughnut shops and in-store retail locations worldwide were still open.
“We have no reports that the criminals have used any information for identity theft or fraud as a result of this incident," the spokesperson also told Cybernews.
Because of Krispy Kreme’s intentional, willful, reckless, and negligent failure to implement and maintain adequate data protections, the breach victims will face “a continuing risk of fraudulent personal data use … for their respective lifetimes,” the case documents state.
Krispy Kreme is further accused of a litany of injuries to the victims, including invasion of privacy, an increase in spam calls, texts, and/or emails, and lost time and opportunity costs associated with attempting to mitigate the damages.
Your email address will not be published. Required fields are markedmarked