Krispy Kreme hack exposed sensitive data of over 160,000 people

Krispy Kreme, the dispenser of delectable doughnuts, has revealed that an astonishingly wide range of personal information belonging to past and present employees, as well as members of their families, was accessed by hackers during a cyber attack last year.

The attack, which was first disclosed in a filing to the Securities and Exchange Commission (SEC) in December 2024, has now been revealed to have impacted 161,676 individuals.

What is perhaps most alarming, however, is not the number of people who have had their sensitive personal information breached, but rather the type of information that was taken:

• Names
• Dates of birth
• Email addresses, usernames, and passwords
• Social Security numbers
• Passport numbers
• Biometric data
• Credit or debit card information in combination with a security code, username, and password to a financial account
• Credit or debit card information
• Digital signatures
• Driver’s license or state ID numbers
• Financial account access information
• Financial account information
• Health insurance information
• Medical or health information
• US military ID numbers
• USCIS or Alien Registration Numbers

This, let us not forget, is information that was being stored by a company that sells doughnuts.

To its credit, Kreme’s website now contains a large banner on its home page which links to information about the data breach.

In its notification, Krispy Kreme you will not see any sign of an apology from the company to those who have had their data stolen, but it does offer affected individuals free credit monitoring and identity protection services.

Those impacted would be wise to remain vigilant to the threat of identity theft, and may want to consider placing a security freeze on their credit report if they are worried that they might be targeted by criminals.

Ironically, putting in place a credit freeze requires handing over your personal information once again: your full name, social security number, date of birth, address, and other identifiable details.

Frankly I suspect most victims of a data breach like this would find it an awful lot easier to stomach if there was an apology from the company that had the sensitive information stolen from it while it was under their watch. Maybe a free box of doughnuts would have sweetened the blow a little?
Krispy Kreme says that it has taken “the appropriate steps” to secure its systems following the attack, and continues to improve the strength of its security to protect data privacy.