11TH DEC 2024
American doughnut chain Krispy Kreme revealed it suffered a cyberattack on November 29, 2024, causing disruptions to its online ordering system in the United States. The incident has impacted portions of its operations, although in-store purchases and deliveries to retail and restaurant partners remain unaffected.
Krispy Kreme, an international brand with 1,521 locations and over 22,800 employees, operates 15,800 points of access worldwide. The company also partners with McDonald's, expanding its reach across thousands of additional locations.
In a filing with the U.S. Securities and Exchange Commission (SEC) submitted today, Krispy Kreme confirmed it detected unauthorized activity within its IT systems.
"On November 29, 2024, Krispy Kreme, Inc. was notified regarding unauthorized activity on a portion of its information technology systems," the filing reads.
While the company reassured customers that shops worldwide remain open and fresh deliveries are continuing as usual, online ordering in parts of the United States has been temporarily suspended. To inform customers, Krispy Kreme has updated its website with a message acknowledging the inconvenience and promising diligent efforts to resolve the issue.
Digital orders account for 15.5% of Krispy Kreme's sales, as highlighted in its Q3 2024 financial results, which reported a 3.5% organic revenue growth. The disruption caused by the cyberattack has resulted in a material impact on business operations, particularly in digital sales.
The company expects financial losses due to reduced revenue from digital sales during the recovery period. Additionally, it anticipates incurring expenses for cybersecurity experts, advisors, and system restoration efforts.
Krispy Kreme acted swiftly to contain the breach by engaging leading cybersecurity professionals. However, the scope, nature, and full impact of the incident remain under investigation.
The market responded negatively to the news, with Krispy Kreme’s stock price dropping by 2% earlier today following the disclosure of the breach.
Krispy Kreme has not disclosed the specific type of cyberattack, leaving it unclear whether ransomware was involved. No ransomware groups have claimed responsibility for the breach, which could indicate ongoing negotiations to prevent potential data leaks.
The Krispy Kreme cyberattack underscores the growing vulnerabilities businesses face in the digital era. With online ordering playing a critical role in revenue generation, robust cybersecurity measures are essential for minimizing disruptions and protecting sensitive systems, especially for firms who rely on ecommerce.
