Krispy Kreme Doughnut Corporation has disclosed a significant data security incident involving unauthorized access to its information technology systems, affecting primarily current and former employees along with their family members.
The popular doughnut chain completed a comprehensive investigation and is now notifying affected individuals in accordance with legal requirements.
The cybersecurity breach was first detected on November 29, 2024, when Krispy Kreme became aware of suspicious unauthorized activity within a portion of its IT infrastructure.
The company immediately initiated response protocols, engaging leading cybersecurity experts to investigate, contain, and remediate the incident.
Following a thorough six-month investigation, Krispy Kreme concluded on May 22, 2025, that personal information had indeed been compromised during the attack.
The company emphasized that this notification was not delayed due to any law enforcement investigation, and they have found no evidence that the stolen information has been misused for fraudulent purposes.
“We took immediate action upon discovering the unauthorized activity,” the company stated in their notification.
The response included working with cybersecurity specialists to secure systems and prevent further unauthorized access while conducting a comprehensive review of affected data.
Extensive Personal Data Compromised
The breach exposed a wide range of sensitive personal information, with the specific types of data varying by individual.
The compromised information potentially includes Social Security numbers, dates of birth, driver’s license numbers, and state identification numbers.
Financial data was also at risk, including bank account information, access credentials, and credit or debit card details combined with security codes.
More concerning for affected individuals, the breach may have exposed biometric data, digital signatures, email addresses with passwords, and username-password combinations for financial accounts.
Additional sensitive information potentially compromised includes passport numbers, USCIS or Alien Registration Numbers, US military identification numbers, medical and health information, and health insurance details.
The vast majority of individuals receiving breach notifications are current Krispy Kreme employees, former employees, and members of their families, suggesting the attack may have targeted human resources or payroll systems containing comprehensive employee records.
Protection Measures
In response to the incident, Krispy Kreme is providing free credit monitoring and identity protection services to all affected individuals.
Enrollment information for these services is included in the notification letters being sent to impacted parties.
The company has advised all recipients to maintain vigilance by closely monitoring their financial accounts, statements, credit reports, and other financial information for signs of unusual activity, fraudulent charges, or identity theft indicators.
Krispy Kreme reports that appropriate steps have been taken to secure their systems following the incident and that they continue strengthening security measures to better protect customer and employee data in the future.
Affected individuals seeking additional information about the incident can contact Krispy Kreme’s dedicated support line at (866) 461-2984, available Monday through Friday from 8:00 a.m. to 5:30 p.m. Central Time, excluding major U.S. holidays.
The company maintains that despite the significant scope of personal information potentially compromised, there have been no reports of identity theft or fraud directly resulting from this security incident.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
