Breach taxonomy
Summary
On November 29, 2024, Krispy Kreme was notified of unauthorized activity on a portion of its IT systems, causing operational disruptions including online ordering in parts of the United States. Physical shops remained open and daily fresh deliveries to retail and restaurant partners were uninterrupted, but the company assessed the incident as reasonably likely to have a material impact on business operations and financial results, including lost digital sales revenues and remediation costs. The company holds cybersecurity insurance expected to offset a portion of costs, and does not expect long-term material impact.
Tagging rationale
ThreatUnknown
Filing does not attribute the incident to a specific actor category -> UNKNOWN.
MethodsSystem Outage
Filing describes unauthorized activity causing operational disruptions to online ordering; no specific attack method (ransomware, data exfiltration, etc.) is identified -> SYSTEM-OUTAGE.
AssetsRevenue Process
Filing states online ordering in parts of the United States was disrupted, impacting digital sales revenue, which is a revenue-generating business process -> REVENUE-PROCESS.
EffectsBiz Interruption
Filing states the incident caused operational disruptions to online ordering and is reasonably likely to have a material impact on the Company's business operations and financial results -> BIZ-INTERRUPTION.
Business continuityPartial
Physical shops remained open and daily fresh deliveries continued uninterrupted, but online ordering was disrupted with recovery ongoing as of filing date -> Partial.
Impact
National consumer brand with disrupted online ordering and expected material impact on revenues and financial results; cybersecurity insurance in place; full recovery timeline not known as of filing -> score 3.
InsuranceYes
Filing states 'The Company holds cybersecurity insurance that is expected to offset a portion of the costs of the incident' -> true.
Read the original SEC filing excerpt
Item 1.05. Material Cybersecurity Incidents. On November 29, 2024, Krispy Kreme, Inc. (the "Company") was notified regarding unauthorized activity on a portion of its information technology systems. The Company immediately began taking steps to investigate, contain, and remediate the incident with the assistance of leading cybersecurity experts. Krispy Kreme shops globally are open, and consumers are able to place orders in person, but the Company is experiencing certain operational disruptions, including with online ordering in parts of the United States. Daily fresh deliveries to our retail and restaurant partners are uninterrupted. The Company, along with its external cybersecurity experts, continues to work diligently to respond to and mitigate the impact from the incident, including the restoration of online ordering, and has notified federal law enforcement. As the investigation of the incident is ongoing, the full scope, nature, and impact of the incident are not yet known. As of the date of this filing, the incident has had and is reasonably likely to have a material impact on the Company's business operations until recovery efforts are completed. The expected costs related to the incident, including the loss of revenues from digital sales during the recovery period, fees for our cybersecurity experts and other advisors, and costs to restore any impacted systems, are reasonably likely to have a material impact on the Company's results of operations and financial condition. The Company holds cybersecurity insurance that is expected to offset a portion of the costs of the incident. The Company does not expect this will have a long-term material impact on its results of operations and financial condition.