International doughnut chain Krispy Kreme disclosed a security incident on Wednesday, which the company said has caused “certain operational disruptions, including with online ordering in parts of the United States.”
Krispy Kreme disclosed the cyberattack in an 8-K filing with the SEC. The company said it was “notified regarding unauthorized activity on a portion of its information technology systems” on November 29, and that it has taken steps to “investigate, contain, and remediate the incident,” with help from cybersecurity experts.
The company said that shops around the world are open, and there is no interruption to deliveries to retail and restaurant partners, but disclosed the aforementioned disruptions in the United States.
“The Company, along with its external cybersecurity experts, continues to work diligently to respond to and mitigate the impact from the incident, including the restoration of online ordering, and has notified federal law enforcement,” the company wrote. “As the investigation of the incident is ongoing, the full scope, nature, and impact of the incident are not yet known.”
When reached for comment, Krispy Kreme spokesperson Cassie Beem sent a statement echoing the language in the 8-K filing. Beem did not answer a series of questions about whether this incident was a ransomware attack, whether hackers stole employee or company data, and how exactly the incident is disrupting operations and online ordering.
Krispy Kreme said in the filing that the incident has had and is “reasonably likely to have a material impact” on the company’s business operations until recovery.
