Krispy Kreme cyberattack impacts online orders and operations

US doughnut chain Krispy Kreme suffered a cyberattack in November that impacted portions of its business operations, including placing online orders.

Krispy Kreme is an American multinational doughnut and coffeehouse chain operating 1,521 shops and 15,800 points of access and employing 22,800 people as of late 2023.

The company has an active partnership with McDonalds to offer its products to thousands of additional locations.

In an SEC filing submitted today, Krispy Kreme says it detected unauthorized activity on November 29, 2024, which has caused disruptions to its online ordering system in the United States.

"On November 29, 2024, Krispy Kreme, Inc. was notified regarding unauthorized activity on a portion of its information technology systems," reads the filing.

"Krispy Kreme shops globally are open, and consumers are able to place orders in person, but the Company is experiencing certain operational disruptions, including with online ordering in parts of the United States. Daily fresh deliveries to our retail and restaurant partners are uninterrupted."

The company has also updated its website to display a message warning that online ordering is disrupted.

"We’re experiencing certain operational disruptions due to a cybersecurity incident, including with online ordering in parts of the United States. We know this is an inconvenience and are working diligently to resolve the issue," reads the statement on its website.

Krispy Kreme recently highlighted in its third quarter 2024 financial results that digital orders represent 15.5% of the company's sales, contributing to its 3.5% organic revenue growth in Q3 2024.

After the attack, the company says it immediately sought the help of leading cybersecurity experts during its response and has taken steps to contain and remediate the incident.

Currently, the investigation remains ongoing, so the scope, nature, and exact impact of the incident are still being appreciated.

The cyberattack has had a material impact on Krispy Kreme's business and will continue to until recovery is completed. No specific dates or estimates about that were provided though.

The company also expects a "reasonable" financial impact from the loss of revenues from digital sales during the recovery period, fees for cybersecurity experts and advisors, and costs associated with system restoring efforts.

The market responded negatively to this news, as Krispy Kreme's stock price fell 2% earlier today following the news of the breach in its systems.

Krispy Kreme has not shared any additional details about the attack, so it is unclear if it was a ransomware attack or a different type of breach.

No ransomware groups have taken responsibility for the cyberattack, even after almost two weeks. If it was ransomware, this typically means the company is negotiating with the threat actors to prevent the leak of data.

When BleepingComputer contacted Krispy Kreme to ask for more details about the attack, the company shared a similar statement as the one to the SEC.