Stay informed with free updates
Simply sign up to the US & Canadian companies myFT Digest — delivered directly to your inbox.
Doughnut maker Krispy Kreme said a cyber security attack has disrupted its online operations, including online orders, in parts of the US, which the group warned would have a material impact on its business.
The US company said in a filing to the US Securities and Exchange Commission on Wednesday that it had been notified on November 29 of “unauthorised activity” in part of its IT systems, which it had taken steps to contain and remediate.
As a result, it was “experiencing certain operational disruptions, including with online ordering”, Krispy Kreme said. Its stores remain open, it added in the filing.
The North Carolina-headquartered doughnut chain, which operates in 35 countries and in its own stores and supermarkets, said the incident “has had and is reasonably likely to have a material impact on the company’s business operations until recovery efforts are completed”.
Krispy Kreme said that it notified federal law enforcement and began to investigate in collaboration with external cyber security experts to “contain” disruptions.
The attack came weeks after a warning that fraud and ransomware are expected to threaten retailers, hospitality and travel businesses during their busiest Christmas holiday season, according to a report published last month by Virginia-based Retail & Hospitality Information Sharing and Analysis Center.
The centre’s audit of cyber threats reported during the last holiday season showed that ransomware accounted for 26 per cent of all reported incidents, doubling from 13 per cent in the previous year.
This year has seen “some of the largest breaches to date”, according to international cyber security firm Cypfer, with attacks increasing also in the retail and hospitality industries. In April, California-based Panda Restaurant Group, the owner of fast-casual Asian chain Panda Express, said that its corporate systems were hacked in March and some personal information of an undisclosed number of employees was stolen.
Krispy Kreme said it holds cyber security insurance that is expected to “offset a portion of the costs of the incident”. It does not expect the attack will have a “long-term material impact on its results of operations and financial condition”.
But cyber security experts say it can take months for a company to recover from an attack.
“Even if the system is back up-and-running, the issue is hackers will already have the [company’s] data and will be threatening to publish [it],” said Graham Cluley, a cyber security researcher.
Krispy Kreme relisted in 2021 following its acquisition in 2016 by European investment group JABgra Holding. In the US, the company has expanded its sales channels by piloting at McDonald’s restaurants.
Shares in Krispy Kreme were down nearly 3 per cent in trading in New York. The company declined to comment beyond its SEC filing.
