Glazenost: Krispy Kreme opens up to reveal the unsugared truth about a major cyberattack
Doughnut giant admits that more than 160,000 customers were affected by a security incident in November 2024.
Krispy Kreme has revealed the hole truth (sorry) about how many people were affected by a major cyberattack last year.
In a filing with the Maine Attorney General, it admitted that the incident on November 29 involved 161,676 of its customers.
The data accessed included people's names, Social Security numbers, date of birth, biometric data and credit or debit card information. You can get the full list of potentially compromised data here.
The food firm wrote: "On November 29, 2024, Krispy Kreme became aware of unauthorised activity on a portion of its information technology systems. Upon learning of the unauthorised activity, we immediately began taking steps to investigate, contain, and remediate the incident with the assistance of leading cybersecurity experts.
"On May 22, 2025, our investigation into the incident determined that certain personal information was affected. There is no evidence that the information has been misused, and we are not aware of any reports of identity theft or fraud as a direct result of this incident. This notification has not been delayed as the result of a law enforcement investigation."
Krispy Kreme is now offering free credit monitoring and identity protection services at no cost to affected individuals, who should have recieved a letter alerting them about the breach.
It added: "Krispy Kreme is advising all notice recipients to stay vigilant and closely review and monitor their financial accounts, statements, credit reports and other financial information for any evidence of unusual activity, fraudulent charges, or signs of identity theft."
A bitter pill for lovers of sweet treats
The doughnut giant first revealed the attack in an SEC filing in December 2024, when it said that "unauthorised activity on a portion of its information technology systems" was detected on November 29.
It "immediately began taking steps to investigate, contain, and remediate the incident with the assistance of leading cybersecurity experts."
"Krispy Kreme shops globally are open, and consumers are able to place orders in person, but the Company is experiencing certain operational disruptions, including with online ordering in parts of the United States," it wrote. "Daily fresh deliveries to our retail and restaurant partners are uninterrupted."
In its quarterly results, Krispy Kreme revealed that remediating the incident cost roughly $4.4 million.
READ MORE: ChatGPTerror: OpenAI admits its models may soon be able to help build bioweapons
"Our online ordering, retail shops, and core business functions are now fully operational," it wrote. "However, we continued to incur costs in the beginning of the first quarter of fiscal 2025 related to the 2024 Cybersecurity Incident."
These costs included a $5 million dent in EBITDA during the first quarter of 2025, which was "primarily related to operational inefficiencies".
"We hold cybersecurity insurance that is expected to offset a portion of the losses and costs from the incident," it confirmed.
At the time, the attack on a beloved doughnut deliverer sparked a vast outpouring of puns and jokes across the internet.
"Crossing a line," Chris H., CEO of Aquia, wrote on LinkedIn. "You can come after our telecommunications systems. "You can impact our water treatment facilities. You can burrow and disrupt our digital critical infrastructure, but once you start targeting America's donuts, sh*ts about to get real."
Do you have a story or insights to share? Get in touch and let us know.
