Cyber Incident Victim: Krispy Kreme
Date:
Nov 2024
Location:
United States of America
Summary
Krispy Kreme experienced unauthorized access to part of its IT infrastructure, prompting an immediate investigation and containment effort with external cybersecurity experts. The incident caused operational disruptions, including intermittent online ordering outages in some U.S. regions, though physical stores remained operational and daily fresh product deliveries to partners continued unaffected. While the full scope remains under investigation, the breach is expected to materially impact business operations and financial results due to lost digital sales, incident response costs, and system restoration expenses, partially offset by cybersecurity insurance. Federal law enforcement was notified, and recovery efforts are ongoing, with no anticipated long-term material financial consequences.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 3 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 29, 2024, Krispy Kreme, Inc. detected unauthorized activity affecting a segment of its information technology infrastructure. The company promptly initiated an investigation with assistance from external cybersecurity specialists to contain and remediate the incident. While physical Krispy Kreme locations worldwide remained operational for in-person purchases, the breach caused partial disruptions to online ordering systems in several U.S. markets. The company confirmed that core supply chain operations—including daily fresh doughnut deliveries to retail partners and franchisees—continued without interruption throughout the incident response period.
Krispy Kreme engaged forensic experts to assess the breach's scope and implemented recovery protocols to restore affected digital services. Federal law enforcement agencies were notified as part of the response protocol. The ongoing investigation had not yet established definitive conclusions regarding the attack's origin, full operational impact, or data compromise extent as of the December 11 SEC filing date. Material disruptions to business operations persisted during recovery efforts, with projected financial impacts including lost digital sales revenue, cybersecurity consulting fees, and system restoration expenses. The company acknowledged these costs would likely materially affect short-term financial results but emphasized cybersecurity insurance coverage would mitigate partial losses. No long-term operational or financial consequences were anticipated based on preliminary assessments documented in the regulatory filing.