Krispy Kreme has released a detailed update on the ransomware attack that targeted its systems in November 2024, confirming that the breach impacted 161,676 individuals. This update, shared in June 2025, outlines the full scope of the data compromised and attributes the incident to the Play ransomware group, which later leaked the stolen information online.

This latest disclosure follows months of investigation and regulatory reporting.

The company has now begun notifying affected individuals, most of whom are employees, former employees, and their families. The updated information provides a clearer picture of both the severity of the breach and its lasting impact on the company’s operations and finances.

Why It Matters: Krispy Kreme’s update confirms the breadth of data stolen in a ransomware attack that significantly disrupted its operations. With personal, financial, and biometric data exposed, the incident raises serious concerns about long-term identity security for thousands, and about how companies handle crisis response and transparency.

• New Confirmation of Attack Scale and Actors: Krispy Kreme now officially attributes the 2024 cyberattack to the Play ransomware gang, which has launched hundreds of high-impact attacks globally. The attackers exfiltrated 184 GB of sensitive data, which they leaked after the company reportedly refused to pay a ransom. This latest update validates earlier suspicions while providing the first formal acknowledgment of the group’s involvement and the full data volume compromised.

• Scope of Data and Affected Individuals: The company’s June 2025 update reveals that 161,676 people were affected, with compromised data including Social Security numbers, financial account details, passport numbers, login credentials, biometric data, and even military and immigration IDs. This disclosure confirms filings made to the Maine Attorney General and highlights the range of sensitive information that could be used for identity theft or fraud.

• Operational and Financial Fallout: The attack caused substantial disruption to Krispy Kreme’s online ordering systems and retail operations in late 2024, affecting dozens of locations nationwide. The company estimates its financial losses exceed $11 million, with $4.4 million spent on remediation, including cybersecurity services and system recovery. It also cited reduced digital revenue during the recovery period in its financial disclosures.

• Regulatory and Legal Disclosures: Following legal requirements, Krispy Kreme submitted updated data breach reports to attorneys general in multiple states, including Maine, Texas, and South Carolina. The SEC was also informed in 2024 of the attack’s potential material impact. The public update underscores the company’s ongoing compliance efforts and provides transparency around the breach’s scale.

• Ongoing Response and Consumer Protection: As part of its continued response, Krispy Kreme has enhanced its cybersecurity posture and is offering free credit monitoring and identity theft protection services to those affected. While core operations have resumed, the company notes that residual financial effects may continue into fiscal 2025, although some losses may be covered through cyber insurance.

Go Deeper -> Notice of Data Breach – Krispy Kreme

161,000 People Impacted by Krispy Kreme Data Breach – SecurityWeek

Krispy Kreme: Over 160,000 people had data stolen during November 2024 cyberattack – The Record