Krispy Kreme, the international doughnut and coffee chain, suffered a significant ransomware attack in late 2024 that resulted in a major data breach and operational disruptions. The attack was detected on November 29, 2024, when Krispy Kreme noticed unauthorized activity on its IT systems. The company disclosed the incident in an SEC filing on December 11, 2024, confirming disruptions to its online ordering platform, particularly affecting digital sales in the U.S. Physical store operations and deliveries to retail partners, including McDonald’s, continued largely unaffected.
Perpetrators and Ransom Demand
The Play ransomware group claimed responsibility for the attack about a week after the initial disclosure. Play claimed to have stolen 184 GB of sensitive data, including personal, financial, and corporate documents, and threatened to release the data if their ransom demands were not met.
Data Compromised
Krispy Kreme’s investigation found that the breach exposed a wide range of personal information, including:
- Names, dates of birth, Social Security numbers, driver’s license or state ID numbers
- Financial account details (including usernames and passwords), payment card information
- Passport numbers, digital signatures, email addresses and passwords
- Biometric data, U.S. military ID numbers, and medical/health information.
Over 160,000 individuals were affected, with most being current and former employees and their families, though some customers were also impacted. The breach notification letters sent out in June 2025 confirmed the exposure but stated there was no evidence of identity theft or fraud as a direct result so far.
Operational and Financial Impact
The attack caused significant disruption to Krispy Kreme’s online ordering system, leading to an estimated $11 million in lost revenue and $3 million in remediation costs. Online ordering was restored about a month after the attack, but the incident highlighted vulnerabilities in the foodservice industry’s digital infrastructure.
