Krispy Kreme, the renowned doughnut chain based in North Carolina, has disclosed a cybersecurity incident that is causing ongoing operational disruptions. The publicly traded company informed U.S. federal regulators on Wednesday that it has been working to address the issue since detecting "unauthorized activity" on its network on November 29, 2024.
Operational Impact
Despite the breach, Krispy Kreme assured customers that its physical stores remain open, and in-person orders are unaffected. However, online ordering is unavailable in some regions of the United States. The company also confirmed that deliveries to retail outlets and restaurants, including major partners such as McDonald’s, have not been disrupted.
The incident, described as having a "material impact" on business operations, will likely continue to affect the company until recovery efforts are complete. Online sales, which accounted for 15% of Krispy Kreme’s doughnut revenue during the summer, have been significantly impacted.
Financial Implications
Krispy Kreme’s stock, traded under the ticker "DNUT," dropped by 2.8% during early trading hours on Wednesday following the announcement. The company reported $1.5 billion in revenue for 2023 and recently shifted its focus back to its core business of producing and distributing fresh doughnuts daily, following the divestment of its majority stake in Insomnia Cookies earlier this year.
While the financial toll of the incident is still being assessed, Krispy Kreme stated that it expects to offset some of the costs associated with its response efforts through a claim against its cybersecurity insurance policy. The company also noted that it does not anticipate the breach will have a long-term material impact on its business.
Regulatory Disclosure
The Securities and Exchange Commission (SEC) mandates publicly traded companies to disclose cybersecurity incidents if they are deemed material to shareholders. Krispy Kreme’s disclosure aligns with this requirement, introduced in June 2023, which requires companies to report incidents within four days if they are likely to influence investment decisions.
Unanswered Questions
While Krispy Kreme has not yet revealed specific details about the nature of the attack, the incident bears hallmarks of a financially motivated cyberattack, possibly involving ransomware. A spokesperson for the company stated that there is no additional information to share beyond what has already been disclosed to regulators.
The cybersecurity breach at Krispy Kreme serves as a reminder of the vulnerabilities even well-established businesses face in today’s digital landscape. As recovery efforts continue, the company remains focused on minimizing disruption and restoring its online ordering capabilities. For now, doughnut enthusiasts can still enjoy Krispy Kreme’s treats in person, while the company works to strengthen its cybersecurity defenses and prevent future incidents.
0 Comments