Krispy Kreme Doughnut Corporation admits to hole in security

Doughnut slinger Krispy Kreme has admitted to an attack that has left many customers unable to order online.

According to a mandatory 8-K filing [PDF], on November 29, the biz was notified regarding unauthorized access to a portion of its IT systems. Its security team waddled into action and sprinkled in support from "leading cybersecurity experts," but said that delays in online orders were going to be hard to swallow for some.

"The expected costs related to the incident, including the loss of revenues from digital sales during the recovery period, fees for our cybersecurity experts and other advisors, and costs to restore any impacted systems, are reasonably likely to have a material impact on the company’s results of operations and financial condition," it reported. "The company holds cybersecurity insurance that is expected to offset a portion of the costs of the incident."

The pastry purveyors remain tight-lipped about the nature of the incident. When asked if this was a straight-up ransomware attack, a data-theft incident, or a secondary ransomware extortion attempt that goes after customers, it declined to comment.

"We’re experiencing certain operational disruptions due to a cybersecurity incident, including with online ordering in parts of the United States. We immediately began taking steps to investigate, contain, and remediate the incident with the assistance of leading cybersecurity experts and other advisors," a spokesperson told The Register.

"We, along with them, continue to work diligently to respond to and mitigate the impact from the incident, including the restoration of online ordering. Our fresh doughnuts are available in our shops as always! Additionally, our fans can also visit their nearest grocery or convenience store to enjoy our doughnuts."

• Dunkin' Donuts drops some dough to glaze over lawsuit accusing it of covering up customer account hacks
• DoorDash doesn't just pick up your food orders, it delivers your data to hackers, too
• Burger chain Wendy's serves up settlement, NeverQuest hacker guilty, cloudy payroll users hacked and more
• From dank memes to Krispy Kremes: British uni eggheads claim viral lol pics make kids fat

The filing does appear to be a little late. The SEC requires companies to report "material" cybersecurity incidents within four business days, which suggests Krispy Kreme's disclosure might be a little late out of the oven. Again, the company has no comment on the issue.

But the timing of the attack is certainly interesting. The US celebrated its Thanksgiving holiday on November 28 this year. With IT staff enjoying a break and incident response times slowed, holidays are an ideal time to hit servers, and there's also a marked increase in general computer crime, for example the 2023 MOVEit intrusion was timed for America's Memorial Day weekend.

As ever, if you're a regular customer, check any credit cards associated with your bun account. A cholesterol check might be in order too. ®