A major hacking attack on Krispy Kreme in November affected more than 160,000 people, the doughnut maker said on Thursday.
The company disclosed Thursday that the data breach affected mostly Krispy Kreme employees, former employees and members of their families, all of whom are being sent notifications.
Krispy Kreme’s cybersecurity filings Thursday said the hackers accessed and stole files containing the sensitive personal information of at least 161,676 individuals.
That includes at least 19,665 North Carolinians, according to the Krispy Kreme security breach report to the N.C. Attorney General’s Office.
Krispy Kreme said its investigation was completed May 22, and that its notification “has not been delayed as the result of a law enforcement investigation.”
Krispy Kreme said in its disclosure that “we will be providing detailed information specific to their data” to affected individuals.
The company said information subject to unauthorized access varies by individual, but may include personal identification, financial accounts, biometric data, health insurance information, and username and password.
“Importantly, we have no reports that the criminals have used any information for identity theft or fraud as a result of this incident,” the company said.
Krispy Kreme is offering credit monitoring and identity protection services at no cost to affected individuals. Enrollment information will be in the notice letters.
For more information on the data breach, call (866) 461-2984 between 9 a.m. to 5:30 p.m. Central Time on weekdays.
Krispy Kreme disclosed in February that it had an $11 million financial impact in the fourth quarter from the hacking incident that at that time mostly affected customers’ ability to place digital and online orders.
Krispy Kreme said some of the $11 million is expected to be covered by cybersecurity insurance.
Law firm’s response
Murphy Law Firm, based in Oklahoma City, said it plans to pursue a class-action lawsuit against Krispy Kreme related to the data breach and is soliciting potential lead plaintiffs.
The law firm said the ransomware group known as Play took credit for the attack, claiming to have stolen 184 gigabytes worth of data, including personal information, client documents and financial information.
To put the data breach exposure into context, a gigabyte is a unit of digital information storage equivalent to 1 billion bytes.
The group claims to have made this data public on their Tor-based leak website in December.
“As a result of the data breach, these individuals’ personal and highly sensitive information may be in the hands of cybercriminals, who can place the information for sale on the dark web or use the information to perpetrate identity theft,” the law firm said.
Krispy Kreme vs. McDonald’s
Krispy Kreme already is facing at least one federal lawsuit accusing the company of misleading investors with its recent financial performance, particularly as it relates to a partnership with fast food giant McDonald’s.
The common theme among the lawsuits filed to date is that Krispy Kreme made materially false and/or misleading statements, as well as failed to disclose material adverse facts about the company’s business, operations and prospects.
The typical lawsuit coverage period is Feb. 25 and May 7.
Krispy Kreme reported May 8 that it was pausing an expansion of the McDonald’s partnership as part of a first-quarter earnings report that also included ending a quarterly dividend payment and withdrawing its fiscal 2025 financial guidance.
Krispy Kreme and McDonald’s unveiled in October 2022 “a small operations test” in which three flavors of doughnuts would be delivered fresh daily from one of Krispy Kreme’s three restaurant locations in Louisville to nine McDonald’s locations.
In March 2024, the companies announced taking their in-store partnership nationwide via a phased rollout that began in the second half of 2024 and was projected to be completed by the end of 2026.
As of March 31, 2025, there are more than 2,400 participating locations, primarily in the Midwest, but with at least 500 in the greater New York City area.
There had been plans to reach about 6,000 McDonald’s locations by the end of 2025 and more than 12,000 by the end of 2026.
However, Krispy Kreme said in its May 8 news release it “is reassessing the deployment schedule together with McDonald’s while it works to achieve a profitable business model for all parties.”