Krispy Kreme Data Breach Exposes Customer Personal Information

Krispy Kreme Doughnut Corporation has confirmed a significant data breach that exposed the personal information of over 160,000 individuals following a ransomware attack in late 2024.

The incident, which affected both employees and customers, has raised concerns about data security at one of the world’s most recognized doughnut chains.

Discovery and Immediate Response

Krispy Kreme detected unauthorized activity on its information technology systems on November 29, 2024.

The company responded swiftly, engaging leading cybersecurity experts to investigate, contain, and remediate the breach.

Operational disruptions were reported, particularly affecting online ordering systems during the busy holiday season, although physical stores remained open and continued to serve customers.

A week after the initial discovery, the Play ransomware group claimed responsibility for the attack, boasting of having stolen 184 GB of sensitive data, including personal and financial information, client documents, payroll, and accounting records.

When Krispy Kreme reportedly refused to pay the ransom, the group published the stolen data on their dark web leak site in December 2024.

Krispy Kreme’s investigation, concluded in May 2025, revealed that the breach impacted at least 161,676 individuals. The majority of those affected are current and former employees and their families, but customers’ data is also believed to be included.

The types of information compromised vary by individual but may include:

• Names and Social Security numbers
• Dates of birth
• Driver’s license or state ID numbers
• Financial account details, including usernames and passwords
• Credit or debit card information, sometimes with security codes
• Passport numbers and digital signatures
• Email addresses and passwords
• Biometric data
• US military ID numbers
• Medical and health insurance information

Separate filings with state attorneys general confirm that Social Security numbers, financial account information, and driver’s license data were among the stolen documents.

Krispy Kreme is mailing data breach notification letters to affected individuals, in line with legal requirements.

The company is offering complimentary credit monitoring and identity protection services to those impacted.

Recipients are advised to remain vigilant, monitoring their financial accounts and credit reports for signs of fraud or identity theft.

The company has emphasized that, to date, there is no evidence that the compromised information has been misused, nor are there reports of identity theft directly linked to the breach. 

However, cybersecurity experts warn that the public release of such sensitive data on the dark web poses ongoing risks for affected individuals.

In the wake of the breach, Krispy Kreme has taken steps to further secure its systems and continues to enhance its cybersecurity protocols.

The company anticipates that costs related to the incident—already exceeding $11 million in fiscal 2024—will continue to rise as additional protective measures are implemented.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates