Jonathan Wheatley reports:
Krispy Kreme said a cyber security attack has disrupted its online operations in the part of the US, as the doughnut maker warned it would have a material impact on its business. The US company said on Wednesday that it had been notified on November 29 of “unauthorised activity” in part of its IT systems, which it had taken steps to contain and remediate. As a result, it was “experiencing certain operational disruptions, including with online ordering”, Krispy Kreme added.
Read more at Financial Times.
From the firm’s 8-Kfiling:
Item 1.05. Material Cybersecurity Incidents.
On November 29, 2024, Krispy Kreme, Inc. (the “Company”) was notified regarding unauthorized activity on a portion of its information technology systems. The Company immediately began taking steps to investigate, contain, and remediate the incident with the assistance of leading cybersecurity experts. Krispy Kreme shops globally are open, and consumers are able to place orders in person, but the Company is experiencing certain operational disruptions, including with online ordering in parts of the United States. Daily fresh deliveries to our retail and restaurant partners are uninterrupted.
The Company, along with its external cybersecurity experts, continues to work diligently to respond to and mitigate the impact from the incident, including the restoration of online ordering, and has notified federal law enforcement. As the investigation of the incident is ongoing, the full scope, nature, and impact of the incident are not yet known.
As of the date of this filing, the incident has had and is reasonably likely to have a material impact on the Company’s business operations until recovery efforts are completed. The expected costs related to the incident, including the loss of revenues from digital sales during the recovery period, fees for our cybersecurity experts and other advisors, and costs to restore any impacted systems, are reasonably likely to have a material impact on the Company’s results of operations and financial condition. The Company holds cybersecurity insurance that is expected to offset a portion of the costs of the incident. The Company does not expect this will have a long-term material impact on its results of operations and financial condition.