Krispy Kreme, the well-known U.S. doughnut chain, has confirmed a significant data breach that has impacted the personal information of over 160,000 individuals following a cyberattack in November 2024. The cyberattack, which was disclosed in a recent filing with Maine’s Office of the Attorney General, has raised concerns over the potential misuse of the stolen data.
The company, which operates 1,521 shops and 15,800 points of access across 40 countries, alerted affected individuals through breach notification letters. In these letters, Krispy Kreme reassured customers that there is currently no evidence of misuse of their information, and no reports of identity theft or fraud have been attributed to the incident. Nevertheless, the breach has left thousands of customers anxious about the safety of their sensitive data.
While Krispy Kreme has not disclosed the specific types of data that were exposed, an additional filing with Massachusetts’ Attorney General suggests that sensitive information, including social security numbers, financial account details, and driver’s license information, may have been compromised. The company detected unauthorized activity on its IT systems on November 29, leading to a wider investigation and engagement of external cybersecurity experts to assess the incident’s impact.
The Play ransomware gang has claimed responsibility for the attack, alleging that they stole extensive confidential data from Krispy Kreme’s network. Reportedly, the gang has released multiple archives containing hundreds of gigabytes of documents on their dark web leak site after negotiations with the company failed. The Play ransomware operation is known for utilizing double-extortion tactics, threatening the release of sensitive data unless a ransom is paid.
The FBI and CISA have reportedly issued warnings regarding the Play ransomware gang, indicating that the group has breached around 300 organizations worldwide as recent as October 2023. Notable previous victims include major corporations and municipalities, emphasizing the growing threat of cyberattacks in various sectors.