Krispy Kreme Confirms November Data Breach Affects Over 160,000 Individuals

Krispy Kreme, a prominent U.S. doughnut chain, confirmed that a cyberattack in November 2024 compromised the personal information of over 160,000 individuals.

As of December 2023, Krispy Kreme employed approximately 22,800 individuals across 40 countries, operating 1,521 shops and 15,800 distribution points globally. The company also oversees four “Doughnut Factories” in the United States and 37 internationally, partnering with McDonald’s for product distribution in numerous locations worldwide.

This week, a filing with Maine’s Office of the Attorney General disclosed that the November data breach impacted 161,676 individuals. In notifications sent to those affected, the company stated, “On May 22, 2025, we determined that certain of your personal information was impacted by this incident. There is no evidence that your information has been misused, and we are not aware of any reports of identity theft or fraud as a direct result of this incident.”

While specifics on the nature of the exposed data were not provided by Krispy Kreme, a subsequent filing with Massachusetts’ Attorney General confirmed that the compromised data included social security numbers, financial account details, and driver’s license information.

Krispy Kreme first identified unauthorized activity on its IT systems on November 29 and subsequently disclosed significant disruptions to its online ordering and operations in an SEC filing dated December 11. The company has since implemented measures to contain the breach and engaged external cybersecurity experts to evaluate its impact on operations.

Breach Attributed to Play Ransomware

Although Krispy Kreme has not provided further details concerning the specifics of the breach, the Play ransomware gang claimed responsibility for the attack in late December, asserting they had stolen data from the company’s network. They alleged that the stolen files included “private and personal confidential data, client documents, budget, payroll, accounting, contracts, taxes, IDs, finance information,” among other sensitive data.

Following the failure of negotiations with the company, the ransomware group released multiple archives containing hundreds of gigabytes of documents on their dark web leak site on December 21. The Play ransomware operation, which began in June 2022, is recognized for its tactics of stealing sensitive information from compromised systems and employing double-extortion methods to coerce victims into paying a ransom with the threat of public data exposure.

Notable targets of the Play ransomware gang have included organizations in various sectors, including cloud computing firms and municipal governments, highlighting the widespread impact of their operations. In December, the FBI, in collaboration with CISA and the Australian Cyber Security Centre, released a joint advisory indicating that the Play ransomware gang had breached around 300 organizations worldwide as of October 2023.