Krispy Kreme has begun sending formal data breach notifications to affected customers, confirming that personal information was compromised in the ransomware attack the company suffered in late 2024.
The notification comes months after the initial cybersecurity incident, which disrupted online ordering systems and was later claimed by the Play ransomware group.
The breach notice, signed by Krispy Kreme’s Chief Legal Officer Atiba Adams, was distributed to individuals whose data was affected. It reveals that although the attack was first detected on November 29, 2024, the company only confirmed on May 22, 2025, that specific personal information had been impacted. While the nature of the compromised data is not publicly detailed, the company is offering complimentary identity monitoring services through Kroll, including credit monitoring, fraud consultation, and identity theft restoration.
The original breach came to light in December 2024 when Krispy Kreme filed an incident report with the U.S. Securities and Exchange Commission (SEC). At the time, the company confirmed that its IT systems had been accessed without authorization, causing significant disruption to its online ordering capabilities across parts of the United States. Physical store operations and delivery logistics remained operational, but the incident impacted digital revenue streams and raised immediate cybersecurity concerns.
Krispy Kreme, headquartered in Charlotte, North Carolina, operates in over 30 countries with more than 11,000 locations worldwide. Its growing reliance on digital sales, particularly online ordering, has made it an increasingly attractive target for cybercriminal groups. The Play ransomware gang, which has a history of high-impact cyberattacks against global enterprises, claimed responsibility for the intrusion and threatened to publish stolen data unless ransom demands were met. The group is known for encrypting files with a “.play” extension and employing double-extortion tactics, including data theft and leak threats.
In a statement published on their leak site in December 2024, Play claimed to have exfiltrated a wide range of sensitive corporate and personal data, including payroll records, client documentation, IDs, tax files, and accounting data. While Krispy Kreme has not publicly confirmed the scope or authenticity of the stolen information, the recent wave of breach notices indicates that at least some customer data was indeed compromised.
Krispy Kreme says it has engaged leading cybersecurity firms to assist in the investigation and remediation efforts and has notified federal law enforcement. Although the company states there is currently no evidence of identity theft or fraud linked to the exposed data, the delayed notification may expose it to increased regulatory scrutiny and potential litigation.
Leave a Reply