Unencrypted personal data, delayed notifications, and ransomware claims bring legal heat to one of America’s best-known brands.
Class Action Filed After Krispy Kreme Data Breach Exposed Troves of Employee PII
Krispy Kreme Doughnut Corporation is now the target of a proposed class action lawsuit after a major data breach in late 2024 compromised the personal information of more than 160,000 individuals connected to the company. The lawsuit, filed June 21, 2025, in the Western District of North Carolina, accuses the company of negligence, poor cybersecurity hygiene, and failure to protect sensitive information.
The plaintiff, former employee Lily Peace of North Dakota, alleges that Krispy Kreme failed to encrypt or adequately protect the private data of current employees, former staff, and even family members. A federal judge officially approved the legal team representing the class on Tuesday.
Court documents cite November 29, 2024, as the date when Krispy Kreme first discovered unauthorized access to its internal systems. According to the filing, the breach exposed a wide range of sensitive personal and financial data belonging to at least 161,676 individuals.
Personal, Financial, and Medical Data Exposed in the Breach
The breach reportedly impacted names, addresses, Social Security numbers, driver’s licenses, passport details, and login credentials. In some cases, even biometric data and protected health information (PHI) were exposed. The scope of data includes:
- Full name, home address, and contact details
- Social Security numbers, dates of birth, driver’s licenses, and state IDs
- Passport numbers and USCIS/A-number
- Login credentials and financial account information
- Credit/debit card details with security codes
- Digital signatures and biometric identifiers
- Medical records and health insurance information
The lawsuit notes that much of this data was neither redacted nor encrypted, a factor that strengthens the negligence claim.
Play Ransomware Group Claimed Responsibility Weeks After Breach
About three weeks after the breach, the Play ransomware gang claimed to have stolen Krispy Kreme’s internal data and threatened to leak it on December 21, 2024. Whether any data was published remains uncertain. However, by that point, Krispy Kreme had already notified the U.S. Securities and Exchange Commission (SEC) that parts of its business were disrupted.
The company stated that online ordering services would be temporarily offline while recovery efforts continued, but emphasized that in-person ordering at its 1,400 global outlets remained unaffected.
A company spokesperson told Cybernews at the time,
“We have no reports that the criminals have used any information for identity theft or fraud as a result of this incident.”
However, the class action lawsuit criticizes the company for waiting over six months to send official breach notification letters and for omitting critical details in the notices.
Legal Claims Focus on Failure to Encrypt and Delayed Response
At the center of the lawsuit is the accusation that Krispy Kreme’s data security practices were outdated and negligent. The legal filing alleges that due to the company’s “intentional, willful, reckless, and negligent failure” to safeguard personal information, victims now face a lifetime risk of identity theft, phishing, financial fraud, and other abuses.
The complaint further accuses the company of causing:
- Invasion of privacy
- Increased spam communications
- Time lost managing the aftermath
- Long-term anxiety over identity misuse
According to the legal team, the exposed data could allow malicious actors to impersonate victims, open fraudulent accounts, or engage in spear phishing using stolen details like employment status and health records.
Unprotected Data, Delayed Notifications, and Legal Fallout Raise Urgent Security Questions
The class action brings renewed attention to how corporate data breaches—especially involving employee information—are handled. As ransomware actors continue to target businesses large and small, the failure to encrypt personal data or promptly notify victims may carry not just reputational damage, but legal consequences as well.
With cybercriminals increasingly going after HR and payroll systems, enterprises must prioritize not only technical defenses but also post-breach response planning.
Looking for a trusted recovery solution?
StoneFly DR365 for Veeam offers air-gapped, immutable backups—designed to ensure ransomware recovery without data loss. Trusted by large enterprises, it helps protect sensitive information even in the face of sophisticated breaches.
