Most of us have heard of Krispy Kreme, the beloved doughnut chain known for its glowing “Hot Now” signs and glazed rings sold in thousands of locations across America. But in late 2024, the company made headlines for something far less appetizing: a ransomware attack that tore through its IT systems, exposed the most sensitive personal data imaginable, and set in motion one of the more consequential corporate data breach settlements of 2026. For the more than 161,000 people caught up in this incident, the story isn’t over. A legal settlement is now on the table, a hard deadline is bearing down fast, and many eligible Americans still haven’t filed a Krispy Kreme settlement claim.
The breach wasn’t just a technical nuisance. It cost the company tens of millions of dollars, knocked out online ordering during the height of the holiday shopping season, and left hundreds of thousands of current and former employees wondering whether their Social Security numbers, bank details, and biometric information were already circulating on the dark web. The answer, as investigators later confirmed, is that they almost certainly were. This is what happened, what it means, and exactly what affected individuals need to do before the window closes.
Understanding the full picture matters because data breach settlements are frequently misunderstood. Eligible recipients assume they’ve already been protected, that the company will handle it, or that the payout isn’t worth the effort. None of those assumptions hold up here, and this article lays out the evidence.
How the Attack Happened: Timeline of the Krispy Kreme Breach
A $1,616,760 settlement has been reached in a class action lawsuit against Krispy Kreme Doughnut Corporation, stemming from a data incident discovered on November 29, 2024, that involved unauthorized access to private information belonging to class members.
On November 29, 2024, Krispy Kreme detected unauthorized activity within a portion of its IT systems, and the breach forced the company to temporarily suspend its online ordering services in parts of the United States. In response, the company immediately engaged external cybersecurity experts, implemented containment measures, and notified federal law enforcement.
On December 10, 2024, Krispy Kreme filed a notice with the Securities and Exchange Commission after discovering unauthorized activity on its computer network. That SEC filing triggered a cascade of regulatory disclosures and set the legal clock ticking. The North Carolina-based doughnut chain later reported the data breach to regulators in Maine, Texas, Vermont, South Carolina, and Massachusetts, completing a months-long investigation on May 22 in which they determined that personal information was stolen from 161,676 people.
Who Is Responsible: The Play Ransomware Gang
The attack was claimed in December by the Play ransomware gang, which the FBI and several international law enforcement agencies have warned is one of the most damaging ransomware groups operating. According to The Record from Recorded Future News, Play has launched a total of 900 attacks on organizations since emerging in 2022.
The Play ransomware operation’s operators are known for stealing sensitive data from compromised systems and using double-extortion tactics, pressuring victims into paying a ransom under the threat of leaking the stolen data online. That’s exactly what happened here. The cybercriminals claimed to have stolen 184 GB worth of data, which they made public on their Tor-based leak website in December 2024, after Krispy Kreme likely refused to pay a ransom.
Previous notable Play ransomware victims include car retailer giant Arnold Clark, cloud computing company Rackspace, the City of Oakland in California, Dallas County, the Belgian city of Antwerp, and American semiconductor supplier Microchip Technology, according to BleepingComputer.
What Data Was Stolen
The breadth of information compromised in this breach is what makes it genuinely alarming. A Krispy Kreme spokesperson confirmed, according to The Record, that “the vast majority of those affected are Krispy Kreme employees, members of their families, and former employees,” and that the data stolen includes Social Security numbers, driver’s licenses, financial account numbers and login information, debit or credit card numbers with security codes, passport numbers, digital signatures, biometric data, USCIS or Alien Registration Numbers, military ID numbers, and health insurance information.
To put it plainly: this wasn’t a case of email addresses and passwords being skimmed. The company’s own investigation confirmed that information such as name, date of birth, Social Security number, driver’s license or state ID number, financial account information, payment card information, passport number, digital signature, email address and password, biometric data, US military ID number, and medical and health information was compromised, according to SecurityWeek.
When Krispy Kreme refused to pay the ransom for the data, the cybercriminals leaked the stolen documents on the dark web in December 2024, meaning this information has been publicly accessible to anyone with the right technical tools for over a year. SecurityWeek notes that while Krispy Kreme says there is no evidence the compromised information has been misused, the stolen data remains freely downloadable from the hackers’ website – making credit and identity protection services particularly valuable for those affected.
For affected employees, the concern isn’t just a compromised bank account that can be closed and replaced. A stolen Social Security number could enable criminals to open credit accounts in someone’s name, while biometric data and passport numbers are essentially impossible to change.
The Financial Toll on Krispy Kreme
The breach didn’t only harm individuals. The company itself absorbed a staggering financial blow. The financial toll on Krispy Kreme extended well beyond the settlement, with the company estimating approximately $11 million in lost U.S. revenue from the incident, primarily due to disruptions to online ordering. An additional $4.4 million went toward cybersecurity remediation and expert consulting fees, according to Krispy Kreme’s May 2025 earnings report, as filed with the SEC, and as reported by TheStreet.
Krispy Kreme’s Q3 2024 financial results indicated that digital orders account for 15.5% of its total sales, a key contributor to its 3.5% organic revenue growth during that quarter. The timing of the attack, in the weeks leading up to Christmas, compounded the damage enormously. The timing of the attack, just ahead of a major promotional event, appears designed to disrupt critical revenue streams and shake consumer confidence.
The company said in its May 2025 SEC filing that it continued to incur costs in the beginning of the first quarter of fiscal 2025 related to the 2024 cybersecurity incident, noting that cyber insurance may “offset a portion of the losses and costs from the incident.”
The Class Action Lawsuit and Settlement
A class action lawsuit was filed in the U.S. District Court for the Western District of North Carolina under case number 3:25-cv-00434-MOC-SCR. The Settlement Preliminary Approval Order was entered on March 5, 2026.
Krispy Kreme denies all legal claims and any wrongdoing or liability. The court has not made any determination of wrongdoing. The parties agreed to a $1,616,760 settlement to avoid the risk, cost, and time of continuing the lawsuit.
The settlement creates two distinct compensation tracks for eligible class members, and the difference between them is significant.
What You Can Receive
Settlement class members may submit a claim for reimbursement of ordinary loss up to a total of $3,500 per claimant, or settlement class members may submit a claim for an alternative cash benefit estimated to be $75.00 per claimant.
The $75 flat payment requires no documentation whatsoever. People who want the maximum of $3,500 need documentation that covers documented losses related to fraud or identity theft resulting from the breach, and supporting documents may include things like bank statements and invoices tied to the cyberattack.
All class members also receive one year of free credit monitoring, and credit monitoring activation codes were provided on postcard notices sent to class members on March 25, 2026. Settlement class members do not need to submit a claim form to receive this credit monitoring. However, filing the claim form is the only path to any cash payment.
If you haven’t received a notice but believe you may have been affected, contact the Settlement Administrator directly at [email protected] or 1-877-239-1879 for assistance.
How to File a Krispy Kreme Settlement Claim Before the Deadline
Time is running out. A claim form must be filed before June 22, 2026. That deadline applies whether you submit online or by mail.
If you received a postcard notice indicating that you are part of the settlement class, you will have a 10-character alphanumeric “Unique ID” and a 4-digit “PIN,” both found on your postcard notice, which are required for online claim submission.
The fastest option is to submit your claim online at krispykremedatasettlement.com. To file by mail, send your completed claim form to Krispy Kreme Data Incident, Settlement Administrator, PO Box 2047, Portland, OR 97208-2047.
If you did not receive a postcard notice or have lost yours, contact the Settlement Administrator at [email protected] or 1-877-239-1879 for assistance.
Who Is Eligible to File
Per the settlement’s website, those who are part of the “Settlement Class” are living individuals residing in the U.S. who were “sent a notice of the data Incident indicating that your private information may have been impacted in the data incident.” Importantly, those who are eligible for the settlement were sent a notice about the breach that warned them their personal information may have been compromised.
One year of credit monitoring will be available for any victims, regardless of whether they file a claim. However, those who do not file a claim will be ineligible for a monetary payout.
Key Deadlines to Know
There are three separate deadlines in this settlement, each with different consequences.
An exclusion or objection must be filed before June 6, 2026. June 6 is also the deadline if you wish to exclude yourself from the settlement altogether, and the exclusion request must be mailed to the settlement administrator. By formally excluding yourself, you keep your right to file your own lawsuit against the released parties about the claims released by the settlement in this lawsuit.
The court will decide whether to approve the settlement at the Final Settlement Approval Hearing on July 6, 2026, at 9:30 AM EDT, to be held in Charlotte, North Carolina. Cash payments will be issued after the July 6, 2026 final approval hearing and any appeals are resolved.
Read More: NY Is Giving Out Free ACs This Summer — Here’s Who Qualifies and How to Apply
The Bigger Picture: Data Breaches in 2025 and 2026
The Krispy Kreme incident doesn’t sit in isolation. It is part of a surging wave of ransomware attacks against American companies of all sizes and sectors. About 80% of respondents to a survey by the Identity Theft Resource Center said they received at least one data breach notice in the prior 12 months, and nearly 40% received three to five separate notices over that period.
Of those who recently received a data breach notice, 88% reported at least one negative consequence, such as increased phishing or other scam attempts, more spam emails or robocalls, or an attempted account takeover.
Research from the Identity Theft Resource Center found that 16% of consumers who received a breach notification took no action, with many citing a belief that their data was already exposed elsewhere or that the breached company would resolve the issue on their behalf. That reasoning is understandable. It’s also exactly why criminals count on people to do nothing.
IBM’s 2025 Cost of a Data Breach Report found the average breach life cycle was 241 days, so by the time consumers hear about a breach, criminals may already have a head start, according to cybersecurity experts cited by Reader’s Digest.
ITRC President James E. Lee has stated that over two decades of tracking, the U.S. has entered a “State of More,” a finding detailed in the ITRC’s 2025 Annual Data Breach Report and reported by CNBC in January 2026. The ITRC tracked 3,322 data compromises in 2025, setting a new record and representing a 79% increase over five years.
What to Do Now
If you received a breach notification from Krispy Kreme, the single most urgent thing you can do is file your claim at krispykremedatasettlement.com before June 22, 2026. Even the $75 no-documentation option is money on the table, requiring nothing more than submitting the form with your Unique ID and PIN.
Beyond the claim itself, the nature of the data exposed demands ongoing vigilance. Freezing your credit with all three major bureaus, Experian, Equifax, and TransUnion, can prevent identity thieves from opening new accounts in your name, and the Identity Theft Resource Center considers a credit freeze the most effective protective step a consumer can take. It costs nothing, can be done online through each bureau’s website in under ten minutes, and can be temporarily lifted any time you need to apply for new credit.
If your Social Security number was exposed, criminals may try to use it for employment fraud, tax fraud, or benefit theft. The IRS offers an Identity Protection PIN program that prevents someone else from filing a tax return using your taxpayer identification number. Enrolling now, before tax season, is a concrete step anyone with an exposed SSN should take.
Those who suffered documented financial losses from the breach, things like fraudulent charges on accounts, fees paid to identity recovery services, or expenses incurred managing the fallout, should gather their bank statements, invoices, and any correspondence tying those losses to the breach before filing. The difference between the $75 flat payment and the $3,500 maximum could come down to how thoroughly you document your claim.
The June 22 deadline is firm. Once it passes, the option to receive cash from this settlement closes permanently, regardless of any losses that emerge later. Don’t let this one slip by.
Disclaimer: This information is not intended to be a substitute for professional financial advice, investment advice, tax advice, or legal advice, and is provided for informational purposes only. Always seek the guidance of a qualified financial advisor, accountant, or other licensed professional regarding your personal financial situation or investment decisions. Do not make financial, investment, or tax decisions based solely on information presented here. Past performance is not indicative of future results, and all investments carry risk, including the potential loss of principal.
AI Disclaimer: This article was created with the assistance of AI tools and reviewed by a human editor.
Read More: IRS COVID-Era Refunds: Do You Qualify? July 2026 Deadline