I don’t know about this November breach, this is the first time I’m hearing about it I think.
Its surprising that the portion of the article that is before the update indicates that it was not known what was taken, although a Ransomware group calling itself Play did all of the dirty work.
From Jaws Picture Smart:
The image appears to be a screenshot of a webpage or digital document related to Krispy Kreme. It displays a content header listing details like the United States location, website, and data specifics such as views (33,312), amount of data (184 GB), and publication date (2024-12-21). Below, there’s a description about Krispy Kreme’s operations, followed by a comment about private and confidential data. There are redacted download links and a “Published” status at the bottom.
This Play group, according to the article, has been around since 2022 and has hit a number of places like Rackspace, Arnold Clark, a car retailer, The City of Oakland in California, Dallas County, Texas, the Belgian city of Antwerp, and Microchip Technology. These are all links within the article, so if you’re interested in learning more, feel free to give it a look.
What gets me is the update that was posted on June 20th. It says:
“Types of information that were subject to unauthorized access vary by individual but may include: name, Social Security number, date of birth, driver’s license or state ID number, financial account information, financial account access information, credit or debit card information, credit or debit card information in combination with a security code, username and password to a financial account, passport number, digital signature, username and password, email address and password, biometric data, USCIS or Alien Registration Number, US military ID number, medical or health information, and health insurance information,” the company states..
Earlier in the article, below the advertisement, they write:
This week, in a filing with Maine’s Office of the Attorney General, Krispy Kreme revealed that the November data breach had affected 161,676 individuals.
“On May 22, 2025, we determined that certain of your personal information was impacted by this incident,” it told affected individuals in breach notification letters sent to impacted people. “There is no evidence that your information has been misused, and we are not aware of any reports of identity theft or fraud as a direct result of this incident.
While the company didn’t reveal what data was exposed in the incident, a separate filing with Massachusetts’ Attorney General discloses that stolen documents contained affected individuals’ social security numbers, financial account information, and driver’s license information.
Krispy Kreme detected unauthorized activity on its IT systems on November 29 and disclosed the incident, along with disruptions to its online ordering, in an SEC filing filed on December 11.
The fact you took 6 fucking months to even come out and tell us what was potentially pilfered is too long. You did not learn from the UK companies we’ve blogged about where they were transparent.
This is fucking crazy this is still going on today. Seriously.
To read the full article, please read Krispy Kreme says November data breach impacts over 160,000 people and may the boards await you. Have fun!
Discover more from The Technology blog and podcast
Subscribe to get the latest posts sent to your email.