Krispy Kreme Doughnuts said a November 2024 cyber-incident compromised the personal information of 161,676 people, according to a data-breach notice filed with the Maine Attorney General on 16 June and newly publicised this week. The company first detected unauthorised activity on its IT systems on 29 November and confirmed on 22 May that sensitive data had been accessed. Exposed records include Social Security numbers, bank-account and credit-card details, driver’s-license and passport numbers, medical and health-insurance information, biometric data and digital signatures. Krispy Kreme said most of those affected are current or former employees and their family members, putting them at heightened risk of identity theft and financial fraud. The doughnut chain has started mailing notification letters and is offering 12 months of free credit-monitoring and identity-protection services. The company said it has strengthened security controls and found no evidence that the stolen information has been misused to date, but urged recipients to monitor financial accounts and credit reports. Krispy Kreme’s annual report estimated the incident caused about $11 million in lost revenue and $4.4 million in direct response costs, and the company expects additional expenses in fiscal 2025. The Play ransomware gang has claimed responsibility for the breach, though the company has not attributed the attack while its investigation continues.