Krispy Kreme released new information about its late 2024 data breach and said it is notifying affected individuals—many of them current or former employees, and their families.
According to a post on its website and a notification to the attorney general’s office in Maine, Krispy Kreme’s investigation into a network system breach late last year found 161,676 people were affected and are now being notified.
“On May 22, 2025, our investigation into the incident determined that certain personal information was affected,” according to Krispy Kreme Doughnut Corp., adding that accessed information varies by individual but includes a long list of personal identifiable information including name, date of birth, Social Security number, driver’s license or state ID number, email, financial account information, financial account access information, credit or debit card information, passport number, digital signature, username and password, biometric data, USCIS or Alien Registration Number, US military ID number, medical or health information, and health insurance information.
The unauthorized access stems from a hacking Krispy Kreme was made aware of at the end of November 2024. The cyber incident disrupted some of its operations.
In its annual report filed with the U.S. Securities and Exchange Commission, Krispy Kreme said that in the fourth quarter 2024 it spent about $3 million in remediation expenses related to the data breach, and estimated a loss in revenue in the U.S. of about $11 million.
“We expect to continue to incur costs in fiscal 2025 related to the incident, including operational inefficiencies early in the first quarter and costs related to fees for our cybersecurity experts and other advisors. The company holds cybersecurity insurance that is expected to offset a portion of the losses and costs from the incident,” the company said in the annual report.
Krispy Kreme never provided any indication of the type of breach it suffered but said it has no evidence that the information was misused and the company is “not aware of any reports of identity theft or fraud as a direct result of this incident.”
“Krispy Kreme took the appropriate steps to secure our systems following the incident and continues strengthening the security of our systems to further protect the privacy of the data entrusted to us,” the company said.
Free credit monitoring and identity protection services are being offered to affected people, who are advised to keep a close eye on financial accounts and credit reports.
Topics
Cyber
Interested in Cyber?
Get automatic alerts for this topic.
Source link