Krispy Kreme has confirmed that attackers stole the personal information of over 160,000 individuals in a November 2024 cyberattack.
While not huge, this is a far from trivial amount of people affected.
Rebecca Moody, Head of Data Research at Comparitech had this comment:
“This is a significant breach, and, according to our findings, it is the second-largest data breach following a ransomware attack on a food and beverage company in 2024. Worldwide, we tracked 68 attacks on this sector in 2024 with 726,650 records affected across these attacks in total. The largest breach was on Bojangles Restaurants, Inc. in February 2024 where 165,106 people had their data breached, while the third largest was on Panera Bread (Panera, LLC) in which 136,302 people had their data impacted.”
“So far this year, we’ve noted 13 attacks on food and beverage companies, affecting just over 40,000 records. Across 2024/25 the average ransom demand across these attacks was just under $1.9 million.”
“Krispy Kreme has been quite slow in reporting this breach, taking around 7 months to notify victims. This is significantly above the overall average we noted across all US companies reporting breaches following ransomware attacks (4.1 months) and even higher than the average across food and beverage companies (3.6 months). Therefore, we’d highly recommend anyone affected take up the free identity monitoring services being offered by Krispy Kreme as soon as possible, while being on high alert for any potential phishing messages.”
Chris Hauk, Consumer Privacy Champion at Pixel Privacy had this to say:
“It is concerning that it has taken Krispy Kreme this long to acknowledge the data breach and inform the individuals affected by the breach. I’m not saying they need to put a glowing neon sign in their window that says “Your data is hot and has been stolen,” but they should not have taken this long. 7 months is a long time for data to be exposed without anyone being informed, and the least Krispy Kreme could do is offer free credit monitoring and free donuts for life.”
“Affected individuals need to keep an eye on their accounts (and take advantage of any free credit monitoring services that may be offered) and stay alert for any phishing texts, emails, or phone calls from bad actors attempting to use the harvested data to get their hands on even more personal and financial data.”
Krispy Kreme really stuffed it in terms of how long it took to let the world know that they had been pwned. Normally I would be saying that the relevant authorities should be asking questions as to why that was the case. But given how the world is right now, I don’t think that’s going to happen. But it should.
Like this:
Like Loading...
Related
This entry was posted on June 19, 2025 at 12:55 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Krispy Kreme Admits That It Was Pwned
Krispy Kreme has confirmed that attackers stole the personal information of over 160,000 individuals in a November 2024 cyberattack.
While not huge, this is a far from trivial amount of people affected.
Rebecca Moody, Head of Data Research at Comparitech had this comment:
“This is a significant breach, and, according to our findings, it is the second-largest data breach following a ransomware attack on a food and beverage company in 2024. Worldwide, we tracked 68 attacks on this sector in 2024 with 726,650 records affected across these attacks in total. The largest breach was on Bojangles Restaurants, Inc. in February 2024 where 165,106 people had their data breached, while the third largest was on Panera Bread (Panera, LLC) in which 136,302 people had their data impacted.”
“So far this year, we’ve noted 13 attacks on food and beverage companies, affecting just over 40,000 records. Across 2024/25 the average ransom demand across these attacks was just under $1.9 million.”
“Krispy Kreme has been quite slow in reporting this breach, taking around 7 months to notify victims. This is significantly above the overall average we noted across all US companies reporting breaches following ransomware attacks (4.1 months) and even higher than the average across food and beverage companies (3.6 months). Therefore, we’d highly recommend anyone affected take up the free identity monitoring services being offered by Krispy Kreme as soon as possible, while being on high alert for any potential phishing messages.”
Chris Hauk, Consumer Privacy Champion at Pixel Privacy had this to say:
“It is concerning that it has taken Krispy Kreme this long to acknowledge the data breach and inform the individuals affected by the breach. I’m not saying they need to put a glowing neon sign in their window that says “Your data is hot and has been stolen,” but they should not have taken this long. 7 months is a long time for data to be exposed without anyone being informed, and the least Krispy Kreme could do is offer free credit monitoring and free donuts for life.”
“Affected individuals need to keep an eye on their accounts (and take advantage of any free credit monitoring services that may be offered) and stay alert for any phishing texts, emails, or phone calls from bad actors attempting to use the harvested data to get their hands on even more personal and financial data.”
Krispy Kreme really stuffed it in terms of how long it took to let the world know that they had been pwned. Normally I would be saying that the relevant authorities should be asking questions as to why that was the case. But given how the world is right now, I don’t think that’s going to happen. But it should.
Share this:
Like this:
Related
This entry was posted on June 19, 2025 at 12:55 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.