Krispy Kreme has disclosed that its November 2024 data breach affected 161,676 people.
In a breach notification shared this week, the company said exposed data varies by person, but the list is long and deeply personal.
It includes names, Social Security numbers, dates of birth, and driver’s license or state ID numbers. In some cases, it extends to financial account details, login credentials, debit and credit card data (including security codes), passport numbers, digital signatures, and biometric identifiers.
Also potentially compromised: military ID numbers, USCIS or Alien Registration Numbers, and sensitive health or insurance information.
The disclosure comes months after the breach was first identified, raising fresh concerns about response timelines and the growing complexity of data exposure in retail breaches.
In a statement, the company said: “Krispy Kreme is offering credit monitoring and identity protection services at no cost to affected individuals, who can find enrollment information in their notice letters.”
Krispy Kreme also advised all notice recipients to stay vigilant and “closely review and monitor their financial accounts, statements, credit reports and other financial information for any evidence of unusual activity, fraudulent charges, or signs of identity theft.”
Extreme Personal Details Collected
Dray Agha, senior manager of security operations at Huntress, said, “Krispy Kreme collected extreme personal details, like biometrics, medical info, and military IDs – far beyond what’s needed to sell doughnuts. Biometrics and digital signatures are especially concerning since they can’t be reset like passwords. Storing credit card security codes, financial account passwords, and government IDs, such as passports, in the same systems is a major red flag.”
These should be strictly isolated, added Agha. “Mixing them made it easier for attackers to steal ‘full identity kits’ for fraud. Retaining CVV numbers (prohibited by card industry rules) and passwords in plaintext or weak encryption shows alarming gaps. Usernames and passwords also require robust encryption, which appears to have been overlooked. Krispy Kreme now faces lawsuits and fines, but the bigger damage is to customer trust: people expect retailers to protect their data, not stockpile it irresponsibly.”
Potentially Significant Harm
Aimee Bush, principal consultant, principal data privacy consultant at Bridewell, commented: “The types of data impacted in this breach could cause significant harm to current and former employees, particularly when we consider the risk of fraud and identity theft. The biggest concern is that Krispy Kreme have confirmed that biometric data has been impacted, and whilst we don’t know which types of biometrics, unlike passwords, credit card numbers, and even digital signatures, we cannot easily change a fingerprint, or face, meaning a breach of this type of data could result in long-term and potentially irreversible damage.
“While it’s difficult to comment on what security measures they had in place before the incident, or the root cause itself, there are some technical measures they could have taken to support protecting the information they were collecting,” added Bush. “For example, using Biometric Privacy Enhancing Technologies to support ‘unlikability’, to make the link between the biometric template and the person they belong to more challenging, such as keeping the biometrics and other personal information segregated, or using ‘irreversibility’ so the biometric template can’t be reserve engineered and used for other purposes.”
Understandable Concerns
Chris Burton, Head of Professional Services at Pentest People, concluded: “Those 161,676 individuals affected may understandably feel concerned, as the type of data involved could potentially be used to carry out identity theft or financial fraud. It’s difficult to comment definitively on the security measures Krispy Kreme had in place before the breach, but the nature and scope of the data collected, unfortunately, does raise eyebrows.”
Burton said it’s worth noting that Krispy Kreme’s privacy policy, like many others in the industry, includes language around ‘selling’ or ‘sharing’ personal information with third parties for commercial or business purposes. “While this practice isn’t unusual, it does highlight an area that may warrant greater scrutiny, particularly from a consumer protection perspective. When personal data is passed between multiple parties, the risk of misuse or compromise naturally increases, so it’s something users should be cautious about and companies may need to revisit with stronger safeguards in mind.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.