On **Black Friday 2024**, Krispy Kreme detected unauthorized network activity, marking the start of a **cyber-attack** that crippled its **online ordering system until December 30, 2024**. The incident led to **significant financial and operational disruptions**, including lost digital sales revenue, cybersecurity advisory fees, and system restoration costs, all of which materially impacted the company’s financial condition. Months later, in **May 2025**, Krispy Kreme disclosed that **nearly 62,000 individuals** had their **highly sensitive data stolen**, including **Social Security numbers, financial account details, passport numbers, and biometric data**. The breach exploited potential holiday-season vulnerabilities, such as understaffed security teams and relaxed IT monitoring. The prolonged investigation and recovery underscored the attack’s severity, with long-term reputational and financial repercussions for the company.
Source: https://www.jdsupra.com/legalnews/privacy-security-spooky-season-is-upon-9543734/
TPRM report: https://www.rankiteo.com/company/krispy-kreme
"id": "kri5093650100125",
"linkid": "krispy-kreme",
"type": "Cyber Attack",
"date": "12/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': '62,000 individuals',
'industry': 'food and beverage (donut retail)',
'location': 'United States (global operations)',
'name': 'Krispy Kreme',
'type': 'public company'}],
'customer_advisories': 'yes (notified 62,000 affected individuals in May '
'2025)',
'data_breach': {'data_exfiltration': 'yes',
'number_of_records_exposed': '62,000',
'personally_identifiable_information': 'yes',
'sensitivity_of_data': 'high',
'type_of_data_compromised': ['personally identifiable '
'information (PII)',
'financial data',
'biometric data',
'government-issued IDs (SSNs, '
'passports)']},
'date_detected': '2024-11-29',
'date_publicly_disclosed': '2024-12-11',
'date_resolved': '2024-12-30',
'description': 'On Black Friday 2024, Krispy Kreme detected unauthorized '
'activity on its network, leading to a cyberattack that '
'disrupted its online ordering system until December 30, 2024. '
'The incident resulted in the theft of sensitive personal data '
'of nearly 62,000 individuals, including Social Security '
'numbers, financial account information, passport numbers, and '
'biometric data. The attack was disclosed in an SEC filing on '
'December 11, 2024, with expected material financial and '
'operational impacts. The company continued its investigation '
'into 2025, confirming the data breach in May 2025.',
'impact': {'brand_reputation_impact': 'high (public disclosure of sensitive '
'data breach)',
'data_compromised': ['Social Security numbers',
'financial account information',
'passport numbers',
'biometric data',
'personally identifiable information'],
'downtime': '31 days (November 29, 2024 – December 30, 2024)',
'financial_loss': 'material impact (revenue loss from digital '
'sales, cybersecurity expert fees, system '
'restoration costs)',
'identity_theft_risk': 'high (SSNs, financial data, biometric data '
'exposed)',
'operational_impact': 'online ordering system offline, extended '
'investigation period',
'payment_information_risk': 'high (financial account information '
'compromised)',
'revenue_loss': 'loss of digital sales during peak holiday season',
'systems_affected': ['online ordering system']},
'initial_access_broker': {'high_value_targets': ['customer PII',
'financial data']},
'investigation_status': 'completed (as of May 2025 notification)',
'lessons_learned': 'Hackers exploit holiday periods when security teams may '
'be understaffed or monitoring relaxed. Proactive security '
'measures, employee training, and incident response '
'preparedness are critical during high-risk periods like '
'Black Friday.',
'motivation': ['financial gain', 'data theft'],
'post_incident_analysis': {'root_causes': ['potential understaffing during '
'holidays',
'relaxed IT monitoring',
'exploitation of peak transaction '
'periods']},
'ransomware': {'data_exfiltration': 'yes'},
'recommendations': ['Verify payment details independently to prevent wire '
'transfer fraud, especially during holidays.',
'Ensure compliance with state privacy laws (e.g., Oregon '
'Consumer Privacy Act) to avoid fines.',
'Strengthen cybersecurity defenses ahead of high-risk '
'periods (e.g., holidays).',
'Review and test incident response plans regularly.',
'Monitor for unauthorized activity with heightened '
'vigilance during peak seasons.'],
'references': [{'source': 'Krispy Kreme SEC Filing (December 11, 2024)'},
{'source': 'Krispy Kreme Customer Notification (May 2025)'}],
'regulatory_compliance': {'regulatory_notifications': ['SEC filing (December '
'11, 2024)']},
'response': {'communication_strategy': 'SEC filing (December 11, 2024), '
'customer notification (May 2025)',
'incident_response_plan_activated': 'yes (investigation '
'initiated post-detection)',
'recovery_measures': 'online ordering system restored by '
'December 30, 2024',
'remediation_measures': 'system restoration, ongoing '
'investigation',
'third_party_assistance': 'yes (cybersecurity experts and '
'advisors engaged)'},
'title': 'Krispy Kreme Black Friday 2024 Cyberattack and Data Breach',
'type': ['cyberattack',
'data breach',
'ransomware (implied by disruption and data theft)']}