Krispy Kreme released new information about its late 2024 data breach a
nd said it is notifying affected individuals—many of them current or former employees, and their families.
According to a post on its website and a notification to the
attorney general’s office in Maine, Krispy Kreme’s investigation into a net
work system breach late last year found 161,676 people were affected and are now being notified.
“On May 22, 2025, our investigation into the incident determined that certain personal information was a
ffected,” according to Krispy Kreme Doughnut Corp., adding that accessed information varies by individual but includes a
long list of personal identifiable information including name, date of birth, Social Security number, driver’s licen
se or state ID number, email, financial account information, financial account access information, credit or debit card information, passport number, digit
al signature, username and password, biometric data, USCIS or
Alien Registration Number, US military ID number, medical or health information, and health insurance information.
The unauthorized access stems from a hacking Krispy Kreme was m
Watch More Image Part 2 >>>
ade aware of at the end of November 2024. The cyber incident disrupted some of its operations.
In its annual report filed with the U.S. Securities and Exchange Co
mmission, Krispy Kreme said that in the fourth quarter 2024 it spent about $3 million in remediation expenses
related to the data breach, and estimated a loss in revenue in the U.S. of about $11 million.
“We expect to continue to incur costs in fiscal 2025 related to the incident, including operational inefficiencies ea
rly in the first quarter and costs related to fees for our cybersecurity experts and other advisors. The company holds cyber
security insurance that is expected to offset a por
tion of the losses and costs from the incident,” the company said in the annual report.
Krispy Kreme never provided any indication of the type of breach it suffered but said it has no evidence that the information was misused and the company is “not
aware of any reports of identity theft or fraud as a direct result of this incident.”
“Krispy Kreme took the appropriate steps to secure our systems following the incident and continues strengthening the security of our systems to further protect the privacy of the data entrusted to us,” the company said.