Krispy Kreme sees lawsuits mount after data breach impacting over 160,000 people
As Krispy Kreme deals with shareholder lawsuits stemming from the abrupt end to its McDonald’s partnership this week, over a dozen federal lawsuits tied to a massive company data breach also have been filed.
Since June 20, some 15 lawsuits representing 18 people have been filed in U.S. District Court for the Western and Middle districts of North Carolina.
The data breach occurred last November, exposing personal information including Social Security numbers, and health and financial information. Last week, Krispy Kreme began notifying over 160,000 people, mostly employees and their family, who were affected.
Krispy Kreme is headquartered in Charlotte, and the glazed doughnut company has more than 20,000 employees worldwide.
The plaintiffs in the data breach case are from Mint Hill, Winston-Salem and Fort Bragg in North Carolina, Lexington and Spartanburg in South Carolina; Jacksonville, Florida; Jamestown, North Dakota; as well as from California, Michigan, New York, Ohio, Pennsylvania and Texas.
In all of the cases, the plaintiffs are seeking certification for class-action suits and a jury trial.
While the lawsuits don’t specify a dollar amount for damages, some cases say the amount exceeds $5 million, which is the threshold under the Class Action Fairness Act.
Krispy Kreme did not immediately respond to requests for comment Friday.
Krispy Kreme breach affects over 160,000 people
Last week, Krispy Kreme began notifying 161,676 people affected by a data breach through an unauthorized third party last November. The majority of people affected are Krispy Kreme employees, former workers and members of their families, according to the company.
In North Carolina, about 19,665 people were affected, according to a report from Krispy Kreme to Attorney General Jeff Jackson’s office.
In South Carolina, 7,200 people were affected, according to Charleston news station WCBD.
In “Notice of Data Breach” letters attached to two of the latest filed lawsuits on Thursday, Krispy Kreme said in letters dated June 16: “We are writing to notify you of the incident, offer you complimentary identity monitoring services, and inform you of steps you can take to help protect your personal information.”
The letters explained Krispy Kreme was notified of the unauthorized activity on a portion of its information technology systems on Nov. 29 and “immediately began taking steps to investigate, contain and remediate the incident with assistance of leading cybersecurity experts.”
On May 22, Krispy Kreme determined “certain of your personal information was impacted by this incident.” Such information included “your name, date of birth, financial account access information and Social Security number.”
Krispy Kreme said it contacted law enforcement and cybersecurity firms to access the scope and cause. The company is offering a year of free credit monitoring, fraud consultation and identity theft restoration.
Krispy Kreme spent about $3 million on data breach remediation and saw a revenue loss of about $11 million due to the breach, the company reported in its fourth-quarter earnings in February.
Lawsuits’ claims against Krispy Kreme
Among claims in the lawsuits, the plaintiffs say Krispy Kreme:
▪ Failed to implement adequate industry-standard cybersecurity measures as required by federal laws, exposing users to risks such as identity theft and fraud.
▪ Was negligent by not securing employee and former employee data including names, Social Security numbers, birth dates, driver’s license information, health records, insurance and financial information and biometric data.
▪ Delayed notification of over six months and lack of transparency about the breach’s cause and scope deprived people affected of a chance to protect themselves.
▪ Allowed data to be stolen by a ransomware group named Play, which leaked the data publicly.
This month, the FBI and the Cybersecurity and Infrastructure Security Agency warned that Play ransomware group (also known as Playcrypt) had targeted businesses and critical infrastructure in North America, South America and Europe.
As of May, the FBI was aware of about 900 groups in several countries that were allegedly exploited by Play, the agencies said in a joint advisory. Play ransomware was among the most active ransomware groups in 2024 since launching in 2022, according to the advisory.
▪ Caused anxiety and emotional distress, lost time and a heightened risk of identity theft as a result of the breach, saying their information is likely already circulating on the dark web.
The plaintiffs are seeking monetary damages for time spent monitoring accounts and dealing with identity theft risks, reimbursement for expenses related to the breach, injunctive relief to require improved data security measures, and more comprehensive identity protection services.
Eight law firms represent one or more plaintiffs.
The other Krispy Kreme lawsuits
Also this week, Krispy Kreme and McDonald’s USA jointly decided to end their partnership, effective July 2.
The fast-food burger chain and the doughnut giant partnership was just over a year old, beginning in March 2024, bringing fresh Krispy Kreme doughnuts to McDonald’s restaurants nationwide. The phased rollout into all McDonald’s stores was to run through 2026.
But on Tuesday, Krispy Kreme CEO Josh Charlesworth said, “Ultimately, efforts to bring our costs in line with unit demand were unsuccessful, making the partnership unsustainable for us.”
In response to the breakup, three shareholders filed federal lawsuits against Krispy Kreme, its executives and board members.
All three suits allege serious corporate misconduct by Krispy Kreme and its officials including making false and misleading statements about the financial viability of the high-profile expansion of the nationwide partnership with McDonald’s, which led to a major drop in Krispy Kreme’s revenue and stock price in May.
Krispy Kreme has not responded to requests for comment about the partnership ending and the lawsuits.
The 84-year-old doughnut company, best known for its “Hot Now” glazed doughnuts, started in Winston-Salem.
Krispy Kreme moved its corporate offices and test kitchen in 2019 to Charlotte’s South End at 2116 Hawkins St. The publicly-traded chain operates in 40 countries and has more than 20,000 employees worldwide.
This story was originally published June 27, 2025 at 11:59 AM.
