Krispy Kreme has revealed that over 160,000 people have had sensitive data compromised as a result of a November 2024 data security incident.

The affected data includes highly sensitive financial information that could leave impacted individuals vulnerable to fraud. This includes:

Financial account information

Financial account access information

Credit or debit card information in combination with a security code

Username and password to a financial account

A range of personal details were also accessed by the unauthorized actor. This included medical or health information and health insurance details.

Other compromised data included names, Social Security numbers, date of birth, driver’s licenses or state ID numbers, passport numbers, digital signatures, username and passwords, email addresses and passwords, biometric data, USCIS or Alien Registration Numbers and US military ID numbers.

The type of information accessed varies by individual.

Krispy Kreme is notifying individuals whose data was affected in the incident.

“The vast majority of those receiving notices are affected Krispy Kreme employees, former employees and members of their families,” the company wrote in a statement.

It is not known whether any customer data has been impacted.

Affected individuals will be offered free credit monitoring and identity protection services, who can find enrollment information in their notice letters.

US-based doughnut maker and coffeehouse chain said there is currently no evidence that the information has been misused.

However, all notice recipients have been urged to stay vigilant for possible identity theft or fraud, and should regularly monitor their financial accounts, statements, credit reports and other financial information for any evidence of unusual activity.

“Krispy Kreme took the appropriate steps to secure our systems following the incident and continues strengthening the security of our systems to further protect the privacy of the data entrusted to us,” the company added.

A data breach notification to the Maine's Office of the Attorney General dated June 16 put the total number of individuals affected as 161,676.

Incident Costs Krispy Kreme $11m in Lost Revenue

Krispy Kreme first publicly disclosed the incident in December 2024, which it said disrupted operations including online orders.

The retailer admitted that expected costs related to the incident, including the loss of revenues from digital sales, advisory fees and recovery costs, were likely to have an impact on the company’s financial condition.

The firm’s annual report, published in February 2025, estimated that the incident cost it $11m in lost revenue.

Krispy Kreme added that it expects to incur further costs in financial year 2025 related to the incident, including ongoing operational inefficiencies and fees to cybersecurity experts and other advisors.

Its investigation into the incident determined on May 22, 2025, that personal information was affected.

The attack was reportedly claimed by the Play ransomware but Krispy Kreme has given no indication as to whether the incident was ransomware related.

