The United States’ favourite doughnut chain, Krispy Kreme, reveals that over 160,000 people were affected by a hack late last year.
The hack became public knowledge almost immediately following the Play ransomware group's claims that they were the ones to breach the chain. However, breach notification letters were sent out only half a year later and still lack essential details.
The doughnut maker was attacked in November 2024, causing disruptions to its online ordering systems right before the holiday season.
In the breach notification letter, Krispy Kreme said that it’s notifying affected individuals regarding “unauthorized activity on a portion of its information technology systems.”
Upon discovering the security breach, Krispy Kreme investigated the incident with the help of third-party experts.
Following the investigation, the company learned that some personal information had been compromised during the breach.
The information acquired included names or other personal identifiers in combination with “other personal information” that Kripsy Kreme didn’t disclose publicly.
A Kripsy Kreme spokesperson told Cybernews that the "vast majority of those affected are Krispy Kreme employees, members of their families, and former employees," not customers.
"We are notifying affected individuals and will be providing detailed information specific to their data. Importantly, we have no reports that the criminals have used any information for identity theft or fraud as a result of this incident," the spokesperson told Cybernews.
What data types were impacted remains unclear.
While information on the event remains unclear, what we do know is that over 160,000 individuals were impacted by the breach. Still, whether these were exclusively customers or employees who were also affected is unclear.
While the doughnut company didn’t explicitly say what caused the event, apart from stating that it had been hacked, the Play ransomware group claimed the attack in December 2024.
Play posted the doughnut retailer on its dark leak blog, boasting that it managed to exfiltrate “private and personal confidential data, client documents, budget, payroll, accounting contracts, taxes, IDs, finance information,” and more. This indicates that the breach affected more than just Krispy Kreme customers.
However, Play didn’t publish any samples of the data they claimed to have stolen and instead only listed multiple question marks (“???”) next to the number of gigabytes.
The ransomware group promised to release the stolen data on December 21st, 2024. Whether they did or not is unclear.
At the time, Krispy Kreme filed with the US Securities and Exchange Commission, stating that certain business operations had been disrupted and that its online ordering systems were expected to remain offline until recovery efforts were made.
A Krispy Kreme spokesperson told Cybernews at the time that in-person ordering was unaffected and that all 1400 stand-alone doughnut shops and in-store retail locations worldwide were still open.
A short time later, Krispy Kreme published a statement on its website that online ordering had been restored for most of its stores.
Your email address will not be published. Required fields are markedmarked