Krispy Kreme, the doughnut giant, revealed on Wednesday that its online ordering systems in the US had been hit by a cyberattack. In a regulatory filing, Krispy Kreme disclosed that upon discovering an intruder in their systems on November 29th, they promptly initiated measures to secure their networks with the assistance of cybersecurity specialists. Since then, the company has been working to restore all its systems, including online ordering capabilities. The statement noted that the incident has been reported to federal law enforcement authorities.
We asked experts across the cybersecurity industry about the hack.
Commenting on the hack, Boris Cipot, a senior security engineer at Black Duck Software, said: “A cyberattack can happen to any organisation. In the case of Krispy Kreme, where an unauthorised activity on a portion of its information technology systems has disrupted certain operations, including online ordering, the organisation has responded promptly to the incident and collaborates with external experts to understand the issue and resolve it. This is very positive. However, this incident also shows that industry segments that are usually not associated with technology should be focusing on improving their overall security posture. Every business is a software business and therefore a possible target for cyber attacks.”
Yet, Krispy Kreme is not alone. Increasingly more often organisations across all industries are being hit by cyberattacks. As Ian Nicholson, Incident Response Head, Pentest People, echoes: “This isn’t just a Krispy Kreme problem though, it’s indicative of a much larger problem in organisations. Too many businesses continue to lag behind in implementing robust incident response plans and effective cyber defence strategies, including rigorous testing. We still need to move away from treating cybersecurity as a “nice to have.” Too many organisations still do, and the consequences are becoming more and more evident.”
The organisation have not stated whether or not any customer data has been compromised in the breach. However, Paul Bischoff, Consumer Privacy Advocate at Comparitech, says: “Customers should assume the worst for their own safety. Krispy Kreme customers who order their donuts online should expect to receive a notice in the mail in the coming months informing them that their private information was breached. Most attacks of this nature don’t just disrupt systems. They also steal data. Companies typically take about six months to investigate breaches and find contact information for affected customers, give or take a few months. But the time to protect yourself is now, so keep an eye on your accounts.”
The filing to the Security and Exchange Commission (SEC) by the Krispy Kreme noted that the company was already feeling the strain post-attack. The filing says: As of the date of this filing, the incident has had and is reasonably likely to have a material impact on the Company’s business operations until recovery efforts are completed. The expected costs related to the incident, including the loss of revenues from digital sales during the recovery period, fees for our cybersecurity experts and other advisors, and costs to restore any impacted systems, are reasonably likely to have a material impact on the Company’s results of operations and financial condition. The Company holds cybersecurity insurance that is expected to offset a portion of the costs of the incident. The Company does not expect this will have a long-term material impact on its results of operations and financial condition.
James Scobey, CISO of Keeper Security, says: “The Krispy Kreme incident highlights the high cost of cybersecurity breaches – not only in financial terms but in operational disruption and the erosion of customer trust. The reported downtime of online ordering demonstrates how even temporary interruptions can have a significant impact on revenue and brand reputation.”
“To mitigate ever-present cyber risks, organisations must adopt a proactive approach to cybersecurity. Privileged Access Management (PAM) protects systems by limiting access to sensitive assets to only essential personnel, and continuously monitoring privileged accounts for unusual activity. Strong password management – including the enforcement of strong, unique passwords and multi-factor authentication – is a critical first line defence in preventing unauthorised access.”
Scobey continues: “The cost of implementing these proactive measures is a fraction of the expense required to recover from a breach. Regular security audits, employee training and vulnerability assessments help identify and address potential vulnerabilities. Cybersecurity isn’t just a technical requirement – it’s essential for organisations to ensure operational resilience and maintain customer confidence.”