International donut chain Krispy Kreme disclosed a security incident Wednesday, which the company said caused “certain business disruptions, including online ordering in parts of the United States.”
Krispy Kreme disclosed the cyberattack in an 8-K filing with the SEC. The company said on November 29 that it had been “notified of fraudulent activity on some of its information technology systems” and was taking steps to “investigate, contain, and remediate the incident” with the help of cybersecurity experts. He said that he had taken the necessary measures.
The company said its stores around the world are open and deliveries to its retail and restaurant partners are uninterrupted, but it did clarify the disruption in the United States.
“We continue to work diligently with external cybersecurity experts to respond to and mitigate the impact of the incident, including restoring online orders, and we have notified federal law enforcement,” the company wrote. “As the investigation into the incident is ongoing, the full extent, nature and impact of the incident is not yet known.”
When asked for comment, Krispy Kreme spokeswoman Kathy Beam sent a statement that echoed the language in the 8-K filing. Beam asked a series of questions regarding whether this incident was a ransomware attack, whether the hackers stole employee or company data, and how exactly this incident is impacting operations and online orders. I didn't answer.
Krispy Kreme said in a filing that the incident is “likely to have a material impact” on its business operations pending recovery.