Krispy Kreme reports cyberattack that disrupted their online ordering
Learn More
Krispy Kreme, Inc. reports that they have been hit by a cybersecurity incident when unauthorized activity was detected on portions of their information technology systems.
The attack led to operational disruptions, affecting their online ordering capabilities across various regions in the United States. The company initiated its incident response protocol, engaging leading cybersecurity experts and notifying federal law enforcement.
While physical stores remained operational and in-person ordering continued to function normally, the disruption to online ordering systems has created challenges for the business. According to their Q3 2024 financial results, digital orders represent 15.5% of their sales, making this disruption particularly concerning for their business operations.
The company has confirmed that daily fresh deliveries to their retail and restaurant partners, including their partnership with McDonald's, remain uninterrupted throughout this incident.
The financial impact of this cyberattack has been significant enough for Krispy Kreme to file a disclosure with the Securities and Exchange Commission. The company's stock price dropped 2% following the announcement, reflecting market concerns about the incident. The company expects substantial financial implications from lost digital sales revenue during the recovery period, combined with costs associated with cybersecurity experts, advisors, and system restoration efforts.
The company has not disclosed the type of attack, any compromised data or the number of affected individuals. No ransomware groups have claimed responsibility for the attack, and the company has not provided an estimated timeline for full recovery. The investigation remains ongoing, with the company working alongside cybersecurity experts to assess the full scope and impact of the incident while implementing necessary remediation measures.
Update - as of 19th of December 2024, the Play ransomware group has claimed responsibility for breaching Krispy Kreme's networks, threatening to expose stolen financial, personal, and business data.
As of 19th of June 2025, Krispy Kreme reports that the incident impacted 161,676 individuals.
