Krispy Kreme Settles $1.6M Class-Action Over 2024 Data Breach Krispy Kreme has agreed to a $1.6 million settlement in a class-action lawsuit alleging the company failed to prevent a November 2024 data breach that exposed sensitive customer information. The breach reportedly compromised names, dates of birth, Social Security numbers, and financial account details. While Krispy Kreme denies any wrongdoing or liability, the settlement covers U.S. residents who received a breach notification. Eligible consumers must file a claim by June 22, 2026, to receive compensation. All class members can claim a $75 cash payment, though the final amount may vary based on the number of claims submitted. Those with documented losses such as fraud or identity theft may receive up to $3,500 in reimbursement with proper evidence. Consumers who do not file a claim will still receive one year of credit monitoring, with activation codes provided via postcard notices. Claims can be submitted online through the [Krispy Kreme settlement website](https://www.krispykremebreachsettlement.com) or mailed to the settlement administrator. The deadline to opt out or object to the settlement is June 6, 2026. Florida has 32 Krispy Kreme locations, with the highest concentration in Jacksonville (4) and Pensacola (2). Nationwide, California leads with 41 locations, while the U.S. has a total of 361 stores.

Play Ransomware Gang Hits 900 Victims in Three-Year Spree, Governments Warn The Play ransomware gang, also known as Playcrypt, has compromised approximately 900 organizations since its emergence in June 2022, according to an updated advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Australian Cyber Security Centre (ACSC). The group employs double-extortion tactics, encrypting systems while also exfiltrating sensitive data to pressure victims into paying ransoms. Initially reported to have targeted around 300 victims by October 2023, Play has since escalated its operations, becoming one of the most active ransomware groups in 2024. The latest advisory, released in May 2025, highlights new tactics, techniques, and procedures (TTPs) observed in recent attacks, including the exploitation of three critical vulnerabilities in the SimpleHelp remote monitoring and management (RMM) software. Tracked as CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726, these flaws can be chained to gain administrator privileges and execute arbitrary code, fully compromising vulnerable systems. Play’s operators evade detection by recompiling the ransomware for each attack, tailoring it to specific targets. Victims are contacted via unique email addresses (using @gmx.de or @web[.]de domains) or phone calls, with threat actors often routing extortion demands to publicly listed numbers, such as help desks or customer service lines. The advisory also warns of an ESXi variant of the ransomware, which shuts down virtual machines (VMs) and encrypts related files using randomly generated per-file keys. Like the Windows variant, the ESXi version is recompiled for each campaign and includes command-line flags for targeted encryption or debugging. The joint advisory underscores Play’s growing threat as the group continues to refine its methods and expand its victim count.

On Black Friday 2024, Krispy Kreme detected unauthorized network activity, marking the start of a cyber-attack that crippled its online ordering system until December 30, 2024. The incident led to significant financial and operational disruptions, including lost digital sales revenue, cybersecurity advisory fees, and system restoration costs, all of which materially impacted the company’s financial condition. Months later, in May 2025, Krispy Kreme disclosed that nearly 62,000 individuals had their highly sensitive data stolen, including Social Security numbers, financial account details, passport numbers, and biometric data. The breach exploited potential holiday-season vulnerabilities, such as understaffed security teams and relaxed IT monitoring. The prolonged investigation and recovery underscored the attack’s severity, with long-term reputational and financial repercussions for the company.

Krispy Kreme Doughnut Corporation experienced a significant data breach in late November 2024, affecting thousands of current and former employees, along with their family members. The breach exposed highly sensitive personal information, including Social Security numbers, financial account information, biometric data, and medical information. The company has since implemented additional security measures and is offering complimentary credit monitoring and identity protection services to those affected.

Krispy Kreme Settles $1.6M Class Action Over 2024 Employee Data Breach Krispy Kreme Inc. has agreed to pay $1.6 million to resolve a proposed class action lawsuit alleging the company failed to adequately protect the personal data of nearly 162,000 employees exposed in a 2024 breach. The settlement received preliminary approval from the U.S. District Court for the Western District of North Carolina. Under the terms of the deal, affected employees defined as class members may claim up to $3,500 in reimbursement for documented losses tied to the breach or opt for a $75 cash payment. The incident underscores the financial and reputational risks companies face when employee data is compromised due to insufficient security measures. The breach highlights ongoing vulnerabilities in corporate data protection, particularly for large employers handling sensitive workforce information. The settlement reflects a growing trend of legal and financial consequences for organizations following cybersecurity failures.

Krispy Kreme Settles $1.6M Lawsuit After 2024 Data Breach Exposing Customer Financial Data Krispy Kreme has agreed to a $1.6 million settlement following a 2024 cyberattack that compromised customers’ sensitive data, including Social Security numbers and bank account details. The breach, which exposed names, dates of birth, and financial account information, led to a class-action lawsuit alleging inadequate data protection. Affected customers who suffered fraud or financial losses may qualify for payouts of up to $3,500, while those without direct losses could receive $75. The settlement also includes a year of free credit monitoring and identity theft protection. Claims must be submitted by June 22, with documentation required for fraud-related compensation. As part of the agreement, Krispy Kreme has committed to strengthening its cybersecurity measures, though the company denies any wrongdoing. The final approval hearing is set for July 6. The doughnut chain, founded in 1937 and headquartered in North Carolina, operates over 340 U.S. locations, including 41 in California. Customers were notified of the breach and settlement, with officials cautioning against submitting claims without meeting eligibility requirements. The incident follows a similar $7.4 million settlement by Trader Joe’s last month over exposed credit card data on receipts.