Cyber attack cost Krispy Kreme over $11 million in lost revenue

U.S. doughnut chain Krispy Kreme said that the data security incident it suffered last year led to a loss in revenue of roughly $11 million and cost it another $3 million in remediation costs.

 

Headquartered in Charlotte, North Carolina, Krispy Kreme is an American multinational doughnut company and coffeehouse chain. It runs a chain of more than 1,500 shops and also partners with McDonalds to offer its products at several other locations.

 

In a filing with the U.S. Securities and Exchange Commission, Krispy Kreme said that on November 29, it was notified about an unauthorised activity in portions of its internal network. The company immediately launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the incident.

 

The Play ransomware group later claimed responsibility for the cyber attack on Krispy Kreme and listed it as a victim on its data leak site.

 

The group claimed to have access to the company’s database, including client files, budget, payroll, accounting, contracts, taxes, identification documents and finances and threatened to leak the same on December 21 if the company failed to pay the ransom.

 

In a recent filing with the SEC, Krispy Kreme said that the data security incident had an operational impact and cost it approximately $11 million in lost revenue.

 

“The incident materially affected the Company’s business operations and is reasonably likely to materially impact the Company’s results of operations and financial condition. 

 

“In the fourth quarter of 2024, we incurred approximately $3 million of remediation expenses related to the 2024 Cybersecurity Incident. In addition, we estimate that we lost revenue within our U.S. segment in an amount of $11 million related to the incident.

 

“We expect to continue to incur costs in full year 2025 related to the incident, including operational inefficiencies early in the first quarter and costs related to fees for our cybersecurity experts and other advisors,” reads the filing.

 

Krispy Kreme added that it holds cyber security insurance which is expected to offset a portion of the losses and costs incurred due to the incident.