Source: Matthew Horwood via Alamy Stock Photo
US doughnut dealer Krispy Kreme suffered a cybersecurity incident that's made a mess of online ordering but spared retail operations that continue to serve up sugar-coated confections nationwide.
A Securities and Exchange Commission filing from Krispy Kreme disclosed the company was subject to an "unauthorized activity on a portion of its information technology systems" in late November.
"The Company, along with its external cybersecurity experts, continues to work diligently to respond to and mitigate the impact from the incident, including the restoration of online ordering, and has notified federal law enforcement," the Krispy Kreme 8-K filing explained. "As the investigation of the incident is ongoing, the full scope, nature, and impact of the incident are not yet known."
Krispy Kreme added that while the cybersecurity incident is likely to have a "material impact" on the business until it is able to recover, anticipated losses are likely to be offset by cyber insurance.
Beyond operational impact, the statement did not indicate whether customer data was compromised. Paul Bischoff, consumer privacy advocate at Comparitech, recommended anyone who's ordered doughnuts online through Krispy Kreme should expect they've been exposed.
"Most attacks of this nature don't just disrupt systems," Bischoff added. "They also steal data. Companies typically take about six months to investigate breaches and find contact information for affected customers, give or take a few months."
Krispy Kreme Incident Recovery Continues
As the company recovers from the incident, Ilia Sotnikov, security strategist at Netwrix, said the Krispy Kreme cybersecurity team likely worked quickly to avoid more widespread damage.
"All their shops are open and all delivery commitments to retail and restaurant partners are fulfilled," Sotnikov said in a statement. "This means that the team identified the intrusion and was ready to swiftly follow the incident response plan."
Beyond initial concerns about business continuity, the entire Krispy Kreme supply chain is potentially vulnerable to follow-on cyberattacks, according to Ryan Sherstobitoff, senior vice president of threat research and intelligence at Security Scorecard.
"As one of the world's largest doughnut companies with over 400 US locations, this breach raises concerns about not only operational disruptions amidst the holidays but also the potential exposure of sensitive data within Krispy Kreme and its supply chain," Sherstobitoff noted, in a statement. "With the holiday season in full swing, retailers must remain vigilant. Cybercriminals are lurking, waiting to exploit any distraction."