Krispy Kreme Doughnuts said a cyber-intrusion discovered on 29 November 2024 compromised personal data for 161,676 people, according to a breach notice filed with Maine’s Office of the Attorney General on 16 June. The company began mailing notification letters last week, confirming that most of those affected are current or former employees and their families. Stolen information varies by individual but can include Social Security numbers, driver’s-license details, financial-account credentials, medical and health-insurance data, biometric identifiers and other sensitive records. Krispy Kreme is offering 12 months of free credit-monitoring and identity-protection services to those notified and says it has found no evidence of misuse so far. The attack, which disrupted online ordering in December, has cost the doughnut chain about $11 million in lost revenue and related expenses to date, its February annual report shows. The Play ransomware gang claimed responsibility in late December and later published gigabytes of purported corporate files after negotiations failed, though Krispy Kreme has not confirmed the extortion attempt. The company says it has contained the breach, engaged external cybersecurity experts and is upgrading defenses while the investigation continues. Several U.S. law firms have begun soliciting plaintiffs for possible class-action litigation over the incident.