A ransomware attack in November 2024 led to the theft of personal, financial, and health information from thousands of individuals.
What happened
Krispy Kreme has confirmed that a cyberattack in late November 2024 exposed the personal information of at least 161,676 people. The breach was disclosed in a regulatory filing with Maine’s Office of the Attorney General and further detailed in notifications to affected individuals sent in May 2025.
Although Krispy Kreme initially stated there was no evidence of data misuse, later disclosures revealed that the compromised information included highly sensitive data such as Social Security numbers, financial account details, driver’s license numbers, and, according to a company update on June 20, health-related information.
Going deeper
The breach was first detected on November 29, 2024, with disruptions to the company’s online ordering systems reported shortly afterward. The company filed an initial incident report with the SEC on December 11 and brought in external cybersecurity experts to investigate.
The Play ransomware gang later claimed responsibility, alleging that they had stolen and leaked confidential company and customer data. After negotiations failed, the group released several large archives of documents, hundreds of gigabytes, on their leak site in December. The released data reportedly included payroll, contracts, tax documents, ID numbers, and more, although these claims have not been independently verified.
Play ransomware is known for double-extortion tactics: stealing data before encrypting it, then threatening to publish it if ransom demands are not met. The group has previously targeted high-profile victims, including Rackspace, the City of Oakland, and Microchip Technology.
What was said
In its breach notification letters, Krispy Kreme said there is currently no indication that the stolen information has been misused, but confirmed that unauthorized access to personal information did occur. The company has not publicly stated whether a ransom was paid and has referred questions about negotiation outcomes to its legal team.
A June 20 update on the company’s website provided the most detailed list of compromised data to date, including personal identifiers, account credentials, biometric data, and health insurance information.
The big picture
The Krispy Kreme breach reflects a broader shift in ransomware tactics, with threat actors targeting global consumer brands. The exposure of health and biometric data adds another layer of risk, especially in relation to identity misuse or synthetic identity creation. Beyond operational disruption, incidents like this now involve extensive data compromise. As companies expand across digital and retail platforms, the impact of such breaches can extend to customers, employees, suppliers, and international partners.
FAQs
What is Play ransomware, and how does it operate?
Play is a cybercriminal group known for double-extortion attacks: stealing data before encrypting systems, then threatening public exposure if a ransom isn’t paid. It has targeted hundreds of organizations worldwide since 2022.
Why would health information be stored by a company like Krispy Kreme?
Health data may be collected as part of employee health benefits, insurance processing, or workplace injury claims. In some cases, it may also relate to contractors or job applicants.
How can individuals check if they were impacted?
Those affected should receive notification letters directly from Krispy Kreme. Individuals can also contact the company’s designated support line or visit their official breach notice page for more details.
What are the risks of biometric and digital signature exposure?
Biometric data (like fingerprints or facial recognition) is difficult to change once compromised. If exposed, it can be exploited in identity fraud or used to bypass security systems that rely on biometric verification.
What legal protections apply to individuals after a data breach?
Depending on the state or country, affected individuals may be entitled to free credit monitoring, identity theft protection services, and the right to pursue legal action if harm is demonstrated. Regulatory investigations may also follow.
Farah Amod
