Krispy Kreme Doughnut Corp. says a cyber-intrusion first detected on Nov. 29, 2024 exposed personal data belonging to about 161,676 people, according to breach notices filed with state regulators and the U.S. Securities and Exchange Commission. The investigation, completed on May 22, 2025, found that attackers accessed highly sensitive information including Social Security numbers, driver’s-license details and, in some cases, financial-account data. The company has begun mailing notification letters to those affected — largely current and former employees and their family members — and is providing 12 months of free credit-monitoring and identity-protection services. Krispy Kreme said the incident cost roughly $4.4 million in the first quarter of 2025 and reduced earnings before interest, taxes, depreciation and amortization by about $5 million. The doughnut chain expects cyber-insurance reimbursements to offset part of the outlay. The Play ransomware group has claimed responsibility for the breach, though the company has not confirmed the attribution. Krispy Kreme added that it has strengthened network defenses and is unaware of any misuse of the stolen data, but law firms are already soliciting potential class-action plaintiffs.