A security ‘hole’ in Krispy Kreme Doughnuts helped hackers take a bite

The attack that yet remains unclaimed disrupted parts of Krispy Kreme’s online sales in the US.

Global Doughnut and coffee chain owner Krispy Kreme, famous for its “original glazed doughnuts,” has a “portion of their IT systems” disrupted by a cyberattack.

In an SEC filing on Wednesday, the global doughnut business said it suffered a cybersecurity incident that has hampered part of its online business in the US.

“Krispy Kreme shops globally are open, and consumers are able to place orders in person, but the Company is experiencing certain operational disruptions, including with online ordering in parts of the United States,” the company said in the filing. “Daily fresh deliveries to our retail and restaurant partners are uninterrupted.”

The company has informed federal law enforcement and has taken up external assistance to respond to and mitigate the impact of the incident, the filing added.

No hacker or groups have yet taken responsibility for the attack.

Incident to have a material impact

In the filing, Krispy Kreme confirmed that the incident has and will continue to have material impact until a full recovery of the systems is achieved. Costs from the incident will include loss of revenues from digital sales until restoration, fees for cybersecurity experts and advisors, and the costs to restore impacted systems.

“Thankfully, there appears to be some degree of system isolation between the online ordering platform and the store management platform,” said Trey Ford, chief information security officer at Bugcrowd. “On the upside, customers can still visit brick-and-mortar stores to buy donuts and coffee — albeit with the inconvenience of waiting a few extra minutes.”

It is still early days as the investigation is yet to uncover the initial point of infection, and the incident could have a ripple effect on other Krispy Kreme services and connected systems.

“While the full details are yet to emerge, the scenario is all too familiar in today’s threat landscape,” said Alberto Farronato, CMO at Oasis Security. “Cybersecurity incidents can ripple across business operations and customer experiences, even in industries not traditionally associated with high-tech services, causing operational disruptions, financial impact, and erosion of customer trust.”

Krispy Kreme did not respond to the queries regarding the investigation and operation status at the time of publishing this report.

The road to recovery could prove to be a long one, as Ford pointed out. “Tracing the source of unauthorized activity can be challenging, especially when budget constraints limit logging and other telemetry,” he said. “Data flow diagrams, authentication boundaries, and the scope of non-human identities (NHI) are critical tools for identifying the incident’s starting point — but success is not always guaranteed.”

There is a breather for the leading doughnut seller, after all, as part of the costs outlined by the company is covered in the cybersecurity insurance it holds. “The Company does not expect this will have a long-term material impact on its results of operations and financial condition,” Krispy Kreme added in the filing.