Doughnut giant Krispy Kreme has disclosed a cyberattack that happened on 29 November and has led to significant operational disruptions, particularly affecting its online ordering system in parts of the United States.
The doughnut chain disclosed the cyberattack in an 8-K filing with the SEC.
The company was alerted to unauthorized activity on its information technology systems and has since engaged leading cybersecurity experts to investigate and remediate the situation.
Despite the attack, Krispy Kreme’s physical stores remain open globally, and customers can still place orders in person. Daily deliveries to retail and restaurant partners are also uninterrupted.
However, the disruption of online ordering is notable, as it accounted for 15.5% of the company’s sales in Q3 2024, highlighting its importance to overall revenue.
Impact and Scope Under Assessment
Krispy Kreme has notified federal law enforcement and indicated that the full scope and impact of the incident are still being assessed. The company anticipates that the incident will materially affect its business operations until recovery efforts are completed. Expected costs include lost revenues from digital sales during this period and fees for cybersecurity services, although the company holds insurance that may offset some expenses.
As investigations continue, Krispy Kreme reassured stakeholders that it does not expect a long-term material impact on its financial condition or operational results.
Trey Ford, Chief Information Security Officer at Bugcrowd, speculates that the incident may not have been made public if it wasn’t for the Form 8-k requirement. “Cybersecurity teams frequently ask, “What is our attack surface?” and “What happens if this platform is impacted?”.
Nothing Internet-Connected is Sacred
Ford says incidents like the one at Krispy Kreme provide valuable, if not expensive, insights into those questions. The attack goes to show that, truly, nothing Internet-connected is sacred. Attackers do not honor the budgetary or scope boundaries that limit testing and researchers. “Tracing the source of unauthorized activity can be challenging, especially when budget constraints limit logging and other telemetry. Data flow diagrams, authentication boundaries, and the scope of non-human identities (NHI) are critical tools for identifying the incident’s starting point—but success is not always guaranteed.”
Luckily, Ford says there seems to be a degree of system isolation between the online ordering platform and the store management platform. “On the upside, customers can still visit brick-and-mortar stores to buy donuts and coffee—albeit with the inconvenience of waiting a few extra minutes.”
Rippling Across the Business
For Alberto Farronato, CMO at Oasis Security, this incident highlights how cybersecurity events can ripple across business operations and customer experiences, even in industries not traditionally associated with high-tech services, causing operational disruptions, financial impact, and erosion of customer trust. “While the full details are yet to emerge, the scenario is all too familiar in today’s threat landscape. Once breached, they can become entry points for attackers, enabling unauthorized access to critical systems and data.”
As organizations increasingly rely on interconnected technology for operations, we encourage businesses to reevaluate their approach to identity security, focusing not just on human users but also on the digital identities driving their system, Farronato ends.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.