Krispy Kreme, an American doughnut institution with shops worldwide, announced on Wednesday its network was breached in November, causing a major disruption to its online ordering systems, right in the middle of the holiday rush.
The first “original glazed doughnut” maker filed an 8-K breach notification with the US Securities and Exchange Commission on Wednesday.
“On November 29th, 2024, Krispy Kreme, Inc. was notified regarding unauthorized activity on a portion of its information technology systems,” the filing stated.
A company spokesperson told Cybernews on Wednesday that Kripsy Kreme was “experiencing certain operational disruptions due to a cybersecurity incident, including with online ordering in parts of the United States.”
In its filing, Krispy Kreme said business operations have been disrupted since the incident began, and its online ordering systems are expected to stay offline “until recovery efforts are completed.”
The company did note that in-person ordering was unaffected and that all Krispy Kreme shops worldwide are still open.
“Our fresh doughnuts are available in our shops as always! Additionally, our fans can also visit their nearest grocery or convenience store to enjoy our doughnuts,” the Krispy Kreme rep said.
The company further stated that daily fresh deliveries to retail and restaurant partners were also uninterrupted.
Founded in 1937 and headquartered in Charlotte, North Carolina, Krispy Kreme has a combination of over 1400 stand-alone doughnut shops and in-store retail locations across 36 countries worldwide.
“As one of the world’s largest doughnut companies with over 400 US locations, this breach raises concerns about not only operational disruptions amidst the holidays but also the potential exposure of sensitive data within Krispy Kreme and its supply chain,“ said Ryan Sherstobitoff, SVP of Threat Research & Intelligence at SecurityScorecard.
According to data from a SecurityScorecard November report, in the past year, 97% of the top 100 US retailers have been hit by a third-party data breach, “exposing the susceptibility of these retailers to threat actors,” Sherstobitoff said.
Costs and impact expected from the attack
The Krispy Kreme spokesperson said as soon as the company became aware of the intrusion, in-house and leading third-party cybersecurity experts “immediately began taking steps to investigate, contain, and remediate the incident.”
"We, along with them, continue to work diligently to respond to and mitigate the impact from the incident, including the restoration of online ordering," the spokesperson said.
Even so, Krispy Kreme said it expects to suffer short-term financial losses until systems are back up and running smoothly, including lost digital sales revenue, fees for outside cybersecurity experts and advisors, and costs to restore any impacted systems.
Krispy Kreme said its cybersecurity insurance coverage is expected to “offset a portion of those costs” while it works to determine the “full scope, nature, and impact of the incident.”
With over 21,000 employees, the multinational doughnut and coffeehouse chain listed its annual net revenue for 2023 as $1.7 billion.
The company has not revealed if it has been contacted by any specific cybercriminal ransomware group or what, if any, data was compromised in the breach.
“With the holiday season in full swing, retailers must remain vigilant. A single breach could lead to not only operational disruptions and revenue loss but also damage customer trust," Sherstobitoff said.
“This attack on Krispy Kreme serves as a stark reminder for organizations to prioritize security, not just for their own systems, but for their entire supply chain,” he said.
The publicly traded company was bought by the German JAB Holding company in 2021 after a series of accounting scandals and mismanagement left the company financially destitute.
JAB Holding also owns major food and service brands, including Bagel Brands, Caribou Coffee, Panera Bread, Peet’s Coffee, Pret a Manger, Keurig, Dr. Pepper, and more.
Your email address will not be published. Required fields are markedmarked