Krispy Kreme has acknowledged that the December 2024 disruption to its online ordering system resulted from a cyber attack. Krispy Kreme operates four bakeries known as “Doughnut Factories,” 1,521 retail shops, and over 15,000 delivery locations in the United States. It also partnered with McDonald’s to avail its crispy doughnuts to the restaurant chain’s customers across the country. “We’re experiencing certain operational disruptions due to a cybersecurity incident, including with online ordering in parts of the United States,” the company announced.
In an SEC filing, Krispy Kreme said it learned of the “unauthorized activity on a portion of its information technology systems” on November 29, 2024.
Krispy Kreme responds to cyber-attack - The Charlotte, North Carolina-based doughnut chain responded by taking additional security measures to contain and remediate the incident. It also hired external cybersecurity experts to investigate the full scope and impact of the cyber-attack.[1]
However, the cyber-attack did not affect Krispy Kreme’s in-store operations, including restaurant deliveries and retail orders. Additionally, the company said it was also working diligently to restore its online ordering system and had reported the cyber-attack to law enforcement. Meanwhile, Krispy Kreme expected material impacts on the results of its operations and financial condition due to disruptions of digital operations, including online ordering systems, recovery costs, and expenses incurred in hiring external advisors and cybersecurity experts.
Online orders account for Krispy Kreme’s 15.5% of total sales and 3.5% of its revenue. The company’s stocks also fell 2% after news of the cyber-attack spread. Nonetheless, the full material impact of the cyber-attack remains unknown until the incident is fully resolved. “As the investigation of the incident is ongoing, the full scope, nature, and impact of the incident are not yet known,” said the filing.
Krispy Kreme expects to settle part of the recovery costs using cybersecurity insurance and anticipates that the cyber-attack would only temporarily affect its operations.
Play ransomware takes credit for the Krispy Kreme cyber attack - The doughnut chain has as of yet not disclosed whether ransomware was involved. However, the Play ransomware gang, also known as Playcrypt, has claimed responsibility for the Krispy Kreme cyber-attack by listing the company on a Tor data leak site. The threat actor says they stole business-related information, including IDs, corporate documents, personal data, contracts, taxes, and payroll, as well as financial and accounting information.
Play ransomware also demanded an unspecified ransom amount payable by 21 December to avoid leaking the stolen information online. However, Krispy Kreme has not disclosed the threat actor’s identity or confirmed receiving any ransom demands.
Active since June 2022, Play ransomware is a double-extortion cybercrime gang that has claimed responsibility for over 400 cyber-attacks by December 2023, with its victims primarily located in the Americas and Europe. Play ransomware’s notable victims include the City of Oakland in California, the A10 Networks, Dallas County in Texas, the Belgian city of Antwerp, Rackspace, and Microchip Technology.
In December 2023, the US FBI, CISA, and Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) published a joint cybersecurity advisory about the Play Ransomware group victimizing various businesses and critical infrastructure across three continents. “Play ransomware actors employ a double-extortion model, encrypting systems after exfiltrating data and have impacted a wide range of businesses and critical infrastructure organizations in North America, South America, Europe, and Australia,” the joint cybersecurity advisory stated. The group has exploited Microsoft Exchange and FortiOS vulnerabilities and leverages compromised credentials and VPN and RDP.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
[1] https://www.cpomagazine.com/cyber-security/doughnut-chain-krispy-kreme-suffers-a-play-ransomware-cyber-attack-disrupting-online-ordering-systems/
Comments