Cybercrime,
Fraud Management & Cybercrime,
Incident & Breach Response
Publicly Traded Firm Reports Significant Cybersecurity Incident to U.S. Regulators
Krispy Kreme, the well-known doughnut retailer, has notified U.S. federal regulators of ongoing operational challenges stemming from a cybersecurity incident. The company stated it will experience continued difficulties, significantly impacting its business activities.
Founded in North Carolina and evolving from a regional favorite into a globally recognized brand in the 1990s, Krispy Kreme reported revenues of $1.5 billion in 2023. In a recent SEC filing, the company confirmed that its physical locations remain operational and customers can purchase doughnuts in person, though some areas have experienced offline ordering disruptions.
The firm reported discovering “unauthorized activity” within its network on November 29, leading them to disclose that the incident is likely to have a material impact on their operations until recovery efforts are concluded. The company highlighted that online orders, which accounted for 15% of their sales during peak summer months, are particularly affected.
Despite the incident contributing to a 2.8% decline in stock value during the initial trading hours post-announcement, Krispy Kreme maintained that they do not expect long-term detrimental effects. The company intends to counterbalance the costs associated with incident response efforts through claims on its cybersecurity insurance.
The Securities and Exchange Commission instituted new disclosure rules in June 2023, mandating immediate reporting of material cybersecurity incidents that could influence shareholder decisions. This heightened regulatory environment underscores the importance of transparency for publicly traded firms responding to cyber threats.
While the specifics of the attack remain undisclosed, the situation presents characteristics typical of financially motivated cyberattacks, potentially involving techniques outlined in the MITRE ATT&CK framework, including initial access and privilege escalation tactics. Such methods are frequently employed by adversaries aiming to exploit vulnerabilities for illicit gain.
In summary, Krispy Kreme’s recent cybersecurity incident serves as a stark reminder of the ongoing challenges companies face in protecting their digital assets. The situation not only stresses the implications for business operations but also emphasizes the critical nature of effective cybersecurity strategies and incident response protocols in today’s interconnected economy.
