Full Report
Krispy Kreme said the incident is likely to materially affect operations and short-term financial performance
Analysis Summary
# Incident Report: Disruption of Krispy Kreme Online Ordering Systems
## Executive Summary
Krispy Kreme experienced a cyber-incident beginning on November 29, 2024, that resulted in unauthorized activity on a portion of its IT systems, severely disrupting online ordering capabilities across parts of the US. While physical store operations and retail deliveries remained largely unaffected, the incident is expected to have a material financial impact due to lost digital revenue and recovery costs. The company has engaged external experts, notified law enforcement, and is actively working to restore services.
## Incident Details
- **Discovery Date:** November 29, 2024
- **Incident Date:** Began on or before November 29, 2024
- **Affected Organization:** Krispy Kreme
- **Sector:** Food & Beverage (Restaurant/Retail)
- **Geography:** Primarily impacting US operations (online ordering).
## Timeline of Events
### Initial Access
- **Date/Time:** On or before November 29, 2024
- **Vector:** Unauthorized activity detected on "a portion of its IT systems." (Specific initial vector unknown based on provided information.)
- **Details:** Krispy Kreme was notified of the unauthorized activity on this date.
### Lateral Movement
- Details on lateral movement are not specified in the report. However, the impact targeted digital sales systems rather than fully interrupting production or retail supply chains.
### Data Exfiltration/Impact
- **Impact:** Disruption of Krispy Kreme's online ordering capabilities in parts of the US.
- **Data Security:** The nature of the incident and whether customer data was affected remains under investigation.
### Detection & Response
- **Detection:** Company notified of unauthorized activity on November 29, 2024.
- **Response Actions:** Investigation, containment, and remediation efforts began immediately with the assistance of external cybersecurity experts. Law enforcement has been informed.
## Attack Methodology
- **Initial Access:** Unauthorized access to a portion of IT systems (Method Unknown).
- **Persistence:** Unknown.
- **Privilege Escalation:** Unknown.
- **Defense Evasion:** Unknown.
- **Credential Access:** Unknown.
- **Discovery:** Unknown.
- **Lateral Movement:** Unknown, but movement appears to have been restricted primarily to IT/digital systems, avoiding Operational Technology (OT).
- **Collection:** Unknown, but digital sales data may have been targeted.
- **Exfiltration:** Unknown.
- **Impact:** Disruption of digital business operations (online ordering).
## Impact Assessment
- **Financial:** Expected material impact due to loss of revenue from digital sales (which comprised 15.5% of Q3 2024 sales), advisory fees, and recovery costs. Cyber insurance is expected to offset some costs.
- **Data Breach:** Status unknown; investigation ongoing.
- **Operational:** Significant disruption to online ordering in affected US regions. Physical stores remain open globally and in-person orders are unaffected. Fresh deliveries to retailers are uninterrupted.
- **Reputational:** Potential short-term negative impact as customers unable to order online may seek alternatives.
## Indicators of Compromise
- *Note: Specific IoCs were not disclosed in the source material and have been omitted.*
## Response Actions
- **Containment:** Steps were taken to investigate and contain the unauthorized activity.
- **Eradication:** Remediation efforts are ongoing.
- **Recovery:** Efforts are in progress to restore online ordering functionality.
## Lessons Learned
- The ability to contain the threat to the IT/digital environment, preventing access to Operational Technology (OT) responsible for production and deliveries, was a positive outcome.
- The incident highlights the significant financial susceptibility posed by disruptions to digital sales channels (15.5% of revenue).
## Recommendations
- Fully scope the extent of data compromise and promptly notify affected parties if PII/customer data is confirmed breached.
- Enhance network segmentation to ensure further resilience between standard IT environments and critical OT systems.
- Review and maintain capabilities to pivot sales channels quickly if primary digital platforms are disabled.