Donut and coffee retail chain Krispy Kreme has confirmed that the ransomware attack that came to light in late 2024 resulted in a data breach.
Krispy Kreme revealed being hit by a cyberattack on December 11, saying that the incident had led to operational disruptions.
Roughly one week later, the Play ransomware group took credit for the attack, claiming to have stolen personal information, client documents, financial information, as well as other files related to accounting, contracts, payroll, and budget.
The cybercriminals claimed to have stolen 184 Gb worth of data, which they made public on their Tor-based leak website in December 2024, after Krispy Kreme likely refused to pay a ransom.
Krispy Kreme is now sending out data breach notification letters to individuals whose information was stolen as a result of the attack.
Its investigation determined recently that personal information such as name, date of birth, Social Security number, driver’s license or state ID number, financial account information (including username and password), payment card information, passport number, digital signature, email address and password, biometric data, US military ID number, and medical and health information was compromised.
The company pointed out that a majority of the impacted individuals are current and former Krispy Kreme employees and members of their families.
It’s unclear how many individuals are impacted, but it’s worth noting that Krispy Kreme has roughly 20,000 employees. In addition, the Texas Attorney General has been informed by the company that nearly 7,000 Texans are affected.
Impacted employees are being offered free credit monitoring and identity protection services. While — like most companies that suffer a data breach these days — Krispy Kreme says there is no evidence that the compromised information has been misused, the credit and identity protection services could be very useful considering that anyone can easily download the stolen data from the hackers’ website.
The most recent data from the company shows that the costs associated with the incident exceeded $11 million in fiscal 2024, and they are expected to increase in 2025.
Related: Swedish Truck Giant Scania Investigating Hack
Related: Data Breach at Healthcare Services Firm Episource Impacts 5.4 Million People
Related: Zoomcar Says Hackers Accessed Data of 8.4 Million Users
