Overview
- A November 2024 cyberattack compromised personal data for more than 160,000 current and former Krispy Kreme employees, including names, dates of birth, Social Security numbers and financial-account details.
- The company has agreed to a $1.6 million class-action settlement that lets eligible class members take a flat cash payment of about $75 or submit itemized claims for documented losses up to $3,500.
- Only living U.S. residents who received an official notice that their information may have been affected can file claims, and itemized claims must include proof such as receipts, bills or communications.
- Claim forms must be filed or postmarked by June 22, 2026, opt-outs to preserve independent lawsuits are due June 6, 2026, and no money or monitoring will be distributed until a federal judge gives final approval at a July 6 hearing.
- Krispy Kreme says it investigated the incident with outside cybersecurity experts, notified law enforcement, offered one year of identity and credit monitoring that must be activated, and denies any wrongdoing as part of the agreement.