Krispy Kreme Alerts 161,676 Individuals to Cybersecurity Breach

Krispy Kreme, a prominent doughnut and coffeehouse chain, has alerted approximately 161,676 individuals, including current and former employees and their family members, about a major cybersecurity breach that has exposed their personal information to potential identity theft and fraud. The company revealed this incident in a filing with the Office of the Maine Attorney General, stating that an unauthorized actor accessed its information technology systems, compromising a wide range of sensitive data.

The compromised information includes names, Social Security numbers, dates of birth, and driver’s license or state ID numbers. Additionally, financial data such as financial account access records, credit or debit card entries, along with security codes, usernames, and passwords to financial accounts, may have been stolen. Other potentially compromised data includes digital signatures, usernames and passwords, email addresses and passwords, biometric records, USCIS or Alien Registration Numbers, US military ID numbers, medical or health records, and health insurance entries.

Krispy Kreme first detected the unauthorized activity on November 29, 2024. The company immediately launched an investigation, collaborating with leading cybersecurity experts to contain and remediate the incident. By May 22, 2025, the investigation confirmed that certain personal information had been affected. Despite the breach, there is no evidence that the stolen information has been misused, and the company has not received any reports of identity theft or fraud directly related to this incident.

In response to the breach, Krispy KremeDNUT-- has taken several measures to mitigate the impact. The company has sent notification letters to affected individuals, providing detailed information about the cybersecurity incident and offering free credit monitoring and identity protection services. Additionally, Krispy Kreme is in the process of revamping its security protocols to enhance the protection of the data entrusted to it.

The incident highlights the escalating threat of cybersecurity breaches in the retail sector, where sensitive personal and financial information is often stored. Companies like Krispy Kreme must continually update their security measures to safeguard against such attacks, which can have far-reaching consequences for both the business and its customers. The breach serves as a reminder of the importance of robust cybersecurity practices and the need for vigilance in protecting personal data.