Skip to main content

Systems breach disrupts online ordering at Krispy Kreme

Krispy Kreme
Krispy Kreme is responding to a cybersecurity incident.

Krispy Kreme is still suffering the effects of a cyberattack which occurred in late November 2024.

In an 8-K Securities and Exchange Commission filing, the doughnut giant has confirmed that on Friday, Nov. 29, 2024, it was notified regarding "unauthorized activity" on a portion of its IT systems (the filing does not specify which portion was breached).

Krispy Kreme said in the filing that it immediately began taking steps to “investigate, contain and remediate” the incident with the assistance of cybersecurity experts and law enforcement. Its brick-and-mortar stores remain open globally and consumers can place orders in person, but the company said it has been experiencing operational disruptions, including with online ordering in parts of the U.S.

In a statement on its e-commerce site, Krispy Kreme said it knows the online ordering outage is an “inconvenience” and is “working diligently” to resolve the issue. 

"We’ll have our online ordering up as soon as we can," Krispy Kreme said in the statement. "Our fresh doughnuts are available in our shops as always."

The statement also advises customers that Krispy Kreme doughnuts are still available in grocery and convenience stores.

According to Krispy Kreme’s 8-K filing, daily fresh deliveries to retail and restaurant locations are uninterrupted. The company said the investigation is ongoing and the full "scope, nature, and impact" of the incident are not yet known. It has provided no other details about what type of intrusion into its network occurred or what data may have been compromised, or possibly locked with ransomware.

[READ MORE: Starbucks HR processes disrupted by Blue Yonder ransomware breach]

Advertisement - article continues below
Advertisement

As of the Dec. 11, 2014 date of the filing, Krispy Kreme said this incident has had and is "reasonably likely" to have a material impact on its business operations until recovery efforts are completed. Expected costs are expected to include the loss of revenues from digital sales during the recovery period, fees for cybersecurity experts and other advisors, and costs to restore any impacted systems.

The company holds cybersecurity insurance that it expects to offset a portion of remediation costs and said it does not expect this incident will have a long-term material impact on its results of operations and financial condition.

In a statement emailed to Chain Store Age, Paul Bischoff, consumer privacy advocate at tech research firm Comparitech, said Krispy Kreme customers should “assume the worst” about this incident and start monitoring their accounts for their own safety. 

"Krispy Kreme customers who order their donuts online should expect to receive a notice in the mail in the coming months informing them that their private information was breached," said Bischoff in the statement. "Most attacks of this nature don't just disrupt systems. They also steal data. Companies typically take about six months to investigate breaches and find contact information for affected customers, give or take a few months."

X
This ad will auto-close in 10 seconds