Doughnut chain Krispy Kreme has disclosed a cybersecurity incident that occurred on November 29, 2024, involving unauthorized activity within its information technology systems. According to a filing with the U.S. Securities and Exchange Commission (SEC) on December 11, the company immediately took steps to “investigate, contain, and remediate the incident with the assistance of leading cybersecurity experts.” While Krispy Kreme’s physical stores remain operational, and there have been no interruptions in deliveries to retail or restaurant partners, the company is facing “certain operational disruptions,” particularly related to online ordering in parts of the United States.
The Impact on Krispy Kreme’s Operations
This incident comes at a time when many companies, particularly those in retail and e-commerce, are increasingly vulnerable to cyberattacks, especially as the holiday season escalates online shopping activity. Cybercriminals know that the urgency of the season and the rise in digital transactions create an environment ripe for exploitation. Krispy Kreme’s situation mirrors trends observed across various sectors, where attackers target systems involved in e-commerce, payment processing, and online ordering.
In its SEC filing, Krispy Kreme stressed that while physical store operations are unaffected, “certain operational disruptions, including with online ordering in parts of the United States,” are ongoing. As of the filing date, the full scope, nature, and impact of the breach remain unclear. The company confirmed that it has notified federal law enforcement agencies and continues to work closely with external cybersecurity experts to mitigate the incident’s impact and restore its affected systems.
Financial Impact and Recovery Efforts
The company also highlighted the financial repercussions of the breach. Krispy Kreme warned that the incident is “reasonably likely to have a material impact on the Company’s business operations until recovery efforts are completed.” This includes “the loss of revenues from digital sales during the recovery period, fees for cybersecurity experts and other advisors, and costs to restore any impacted systems.” Although the company holds cybersecurity insurance, which is expected to offset some of the costs, Krispy Kreme does not anticipate a long-term material impact on its financial condition.
Nature of the Cyber Attack and Industry Trends
While the specific nature of the attack currently remains undisclosed, the event raises concerns about the vulnerability of the food service and retail sectors to cyberattacks, especially as companies become more dependent on digital infrastructure. Attackers are increasingly targeting the digital back-end of businesses—those systems that handle transactions, customer data, and operational logistics. For Krispy Kreme, the loss of digital sales revenue, which could be significant, especially during the busy holiday season, may have a considerable short-term impact.
This breach follows a larger trend of high-profile cyber incidents affecting major companies. Earlier in 2024, several large retailers and food chains faced similar challenges, including incidents where cybercriminals exploited weaknesses in e-commerce platforms to steal payment card information or gain access to customer databases. For instance, high-profile cases such as the 2023 attack on the fast-food chain Domino’s, where cybercriminals breached the company’s online ordering system, demonstrated the growing sophistication of cyberattacks targeting the food service sector.
Lessons Learned
With more businesses transitioning to cloud-based systems and relying on digital interfaces for customer interaction, the attack surface for cybercriminals has significantly expanded. In many cases, these breaches are the result of phishing campaigns, ransomware attacks, or vulnerabilities in third-party software. This leaves businesses like Krispy Kreme vulnerable to significant disruptions, as they must balance maintaining customer trust and restoring systems while addressing the financial and reputational fallout.
In the wake of this incident, Krispy Kreme has assured investors and customers that the company is committed to resolving the issue. “The Company, along with its external cybersecurity experts, continues to work diligently to respond to and mitigate the impact from the incident, including the restoration of online ordering,” the filing stated. Despite the challenges faced by the company, Krispy Kreme remains optimistic that this breach will not have a lasting negative impact on its financial health.
The company’s ability to recover from this disruption will depend heavily on its cybersecurity response, how quickly it can restore online services, and how effectively it can protect customer data from further harm.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
https://www.netizen.net/contact
