Krispy Kreme finally revealed the number of people affected by its November cyberattack, and it’s easy to see why analyzing the incident took the well-resourced company several months.
According to a filing with Maine’s Attorney General, cybercriminals compromised data belonging to 161,676 people, and what a haul they had access to.
As ever with data breaches, different people will have had different data points affected, but the full list is as follows:
- Names
- Social Security numbers
- Dates of birth
- Driver’s license or state ID numbers
- Financial account information
- Financial account access information
- Credit or debit card information
- Credit or debit card information in combination with a security code, username, and password to a financial account
- Passport numbers
- Digital signatures
- Usernames and passwords
- Email addresses and passwords
- Biometric data
- USCIS or Alien Registration Numbers
- US military ID numbers
- Medical or health information
- Health insurance information
Typical data breaches involve basic personal information, and it is especially noteworthy when something sensitive like financial information is involved, since it’s not often that these cases lead to such levels of access.
But for the myriad sensitive data points here to be included all in the same attack, according to Dray Agha, senior manager of security operations at Huntress, this speaks to the donut giant’s pre-breach security.
He told The Register: “Krispy Kreme collected extreme personal details, like biometrics, medical info, and military IDs – far beyond what’s needed to sell donuts. Biometrics and digital signatures are especially concerning since they can’t be reset like passwords.
“Storing credit card security codes, financial account passwords, and government IDs like passports in the same systems is a major red flag. These should be strictly isolated. Mixing them made it easier for attackers to steal ‘full identity kits’ for fraud.
“Usernames and passwords also require robust encryption, which appears to have been overlooked.”
Krispy Kreme’s website currently displays a large banner pointing visitors to details of the breach, but affected individuals who might be looking for an apology of any kind are out of luck.
“On November 29, 2024, Krispy Kreme became aware of unauthorized activity on a portion of its information technology systems,” it stated. “Upon learning of the unauthorized activity, we immediately began taking steps to investigate, contain, and remediate the incident with the assistance of leading cybersecurity experts.
“On May 22, 2025, our investigation into the incident determined that certain personal information was affected. There is no evidence that the information has been misused, and we are not aware of any reports of identity theft or fraud as a direct result of this incident. This notification has not been delayed as the result of a law enforcement investigation.”
The company offered the usual 12 months of credit monitoring and identity protection to everyone caught up in the data disaster, and it appears to have forked out a little extra for fraud consultations and identity theft restoration.
“Krispy Kreme took the appropriate steps to secure our systems following the incident and continues strengthening the security of our systems to further protect the privacy of the data entrusted to us.”
It said the vast majority of people affected by the attack are current and former Krispy Kreme employees, and members of their families.
Several US law firms are now appealing to aggrieved individuals to join potential class action lawsuits against the company, although none have been filed as yet.
Krispy Kreme first disclosed the attack to the Securities and Exchange Commission (SEC) in December, noting that the incident was likely to have a material effect on its finances.
Its most recent quarterly financial statement [PDF] (Q1 2025) indicated that the costs related to the cyber cleanup job amounted to approximately $4.4 million, which included fees related to cybersecurity experts and “other advisors.”
It added that the incident is estimated to have taken a $5 million dent in its EBITDA during the reporting period, and that its cyber insurance policy would offset some of this cost.
The company has never mentioned the R-word anywhere near its comms surrounding the attack, although the Play ransomware crew claimed responsibility for the data grab shortly after the SEC was informed.
It’s entirely possible ransomware was not a factor in the attack, since increasing numbers of attacks carried out by ransomware gangs and their affiliates do not involve encryption, only data theft and extortion. ®
Click Here For The Original Source.
