What information was exposed in the Krispy Kreme data breach?

The breach exposed an extremely wide range of sensitive employee data including names, Social Security numbers, dates of birth, driver's licenses or state ID numbers, financial account information and access credentials, credit/debit card numbers with security codes, usernames and passwords, passport numbers, digital signatures, email addresses and passwords, biometric data, USCIS or Alien Registration Numbers, US military ID numbers, medical and health information, and health insurance information.

Is there a Krispy Kreme data breach settlement?

No, there is no settlement at this time. The consolidated class action complaint was filed on October 17, 2025 in the U.S. District Court for the Western District of North Carolina. The case is still in its early stages of active litigation. There is no claim form to submit yet.

Who is the Play ransomware group?

Play is a notorious ransomware group that breaches corporate networks, steals sensitive data, and then demands ransom payments. If the target refuses to pay, Play publishes the stolen data on its dark web leak site. In this case, Krispy Kreme did not pay the ransom, and Play published all the stolen employee data on its leak site for any bad actor to view and download.

What are the plaintiffs alleging against Krispy Kreme?

The lawsuit alleges three main claims: negligence and negligence per se (failing to implement adequate security measures, violating FTC Act and HIPAA requirements), breach of implied contract (failing to safeguard employee data as promised), and unjust enrichment (profiting from cost-cutting on data security at employees' expense). The complaint details how Krispy Kreme stored sensitive data unencrypted and failed to follow industry cybersecurity standards.

What identity theft have Krispy Kreme employees experienced?

Plaintiffs report severe real-world consequences including fraudulent charges on bank accounts and credit cards, unauthorized DoorDash subscriptions, fake loan applications that damaged credit scores, a fake kidnapping call to one plaintiff's mother demanding ransom, unauthorized bank accounts opened in employees' names, inability to use Venmo and Apple Pay due to identity verification failures, and 10-20 spam calls per day causing one employee to miss a call about her injured son.

What is Krispy Kreme offering affected employees?

Krispy Kreme is offering free identity monitoring services through Kroll, including single bureau credit monitoring, fraud consultation with specialists, and identity theft restoration services with a dedicated investigator. The monitoring term length varies by individual. To activate, employees must visit enroll.krollmonitoring.com with their membership number from the breach notification letter.

What should I do if I'm affected by the Krispy Kreme data breach?

If you received a breach notification letter: activate your free Kroll identity monitoring services immediately using your membership number, place a credit freeze with all three credit bureaus (Equifax, Experian, TransUnion), monitor your financial accounts and credit reports closely, change all passwords especially for financial accounts, report any suspicious activity to the FTC at IdentityTheft.gov, and save all documentation of any losses for potential future claims.

When did Krispy Kreme notify employees about the data breach?

Krispy Kreme became aware of unauthorized activity on November 29, 2024, but did not determine that personal information was affected until May 22, 2025. Notification letters were sent around June 16, 2025 — nearly seven months after the breach occurred. The lawsuit criticizes Krispy Kreme for failing to disclose that the Play ransomware group was responsible or that the stolen data had been published on the dark web.

What laws did Krispy Kreme allegedly violate?

The lawsuit alleges Krispy Kreme violated the FTC Act (Section 5 — unfair practices for failing to use reasonable security measures), HIPAA (failing to protect electronic protected health information as a covered entity sponsoring employee health plans), NIST Cybersecurity Framework standards, and Center for Internet Security Critical Security Controls. The complaint also cites breach of implied contract and unjust enrichment.

What court is the Krispy Kreme lawsuit in?

The consolidated class action is pending in the United States District Court for the Western District of North Carolina, Case No. 3:25-CV-00434-MOC-SCR. The consolidated complaint was filed on October 17, 2025. Interim class counsel includes Kopelowitz Ostrow P.A., Cole & Van Note, and Milberg Coleman Bryson Phillips Grossman, PLLC.

Can I still join the Krispy Kreme data breach lawsuit?

Since no settlement has been reached yet, there is no claim form to submit. If you are a current or former Krispy Kreme employee whose information was compromised, you are potentially a class member. You do not need to take any action to join the lawsuit at this time. If a settlement is eventually reached, you will receive notice with instructions on how to file a claim. In the meantime, activate your Kroll monitoring and protect your accounts.

Krispy Kreme Data Breach: Ransomware Gang Publishes 161,676 Employees' SSNs, Bank Info & Health Records on the Dark Web After Company Refuses to Pay

Q: What happened in the Krispy Kreme data breach?

On November 29, 2024, the Play ransomware group breached Krispy Kreme's information technology systems and stole the personal information of approximately 161,676 current and former employees. When Krispy Kreme refused to pay the ransom, Play published the entire batch of stolen data on its dark web leak site, making it available to anyone.

Q: Who is affected by the Krispy Kreme data breach?

Approximately 161,676 current and former Krispy Kreme employees are affected. The lawsuit was filed on behalf of employees who provided their personal information to Krispy Kreme as a condition of employment. If you received a data breach notification letter from Krispy Kreme dated around June 16, 2025, you are likely a class member.

Q: How many employees were affected by the Krispy Kreme breach?

Approximately 161,676 current and former Krispy Kreme employees were affected, according to reporting to the Maine Attorney General's office. The 14 named plaintiffs in the consolidated complaint come from 11 different states: California, Florida, Kentucky, Michigan, New York, North Carolina, North Dakota, Ohio, Pennsylvania, South Carolina, Tennessee, and Texas.

By Steve Levine

Krispy Kreme Data Breach Class Action Lawsuit

Published: February 11, 2026

Type:

Active Class Action Lawsuit — No Settlement Yet

People Affected:

Approximately 161,676 current and former employees

Data Published on Dark Web:

Yes — full batch posted by Play ransomware group

⚠ This is an active lawsuit — there is no settlement yet. If you are a current or former Krispy Kreme employee affected by the data breach, there is no claim form to submit at this time. If a settlement is reached in the future, you will be notified. In the meantime, activate your free Kroll monitoring services and take steps to protect your identity.

A class action lawsuit has been filed against Krispy Kreme Doughnut Corporation after the notorious Play ransomware group breached the company's computer systems on November 29, 2024, stealing the sensitive personal information of approximately 161,676 current and former employees.

When Krispy Kreme refused to pay the ransom, Play published the entire batch of stolen data on its dark web leak site — making employees' Social Security numbers, financial account information, health records, biometric data, and much more freely available to any criminal who wanted it.

Employees have already reported severe consequences, including fraudulent bank charges, unauthorized loan applications, fake kidnapping calls to family members, new bank accounts opened in their names, and a flood of 10-20 spam calls per day.

What Happened?

On November 29, 2024, Krispy Kreme detected unauthorized activity on its IT systems. The company brought in cybersecurity experts, but the damage was already done: the Play ransomware group had infiltrated the network and exfiltrated massive amounts of employee data.

Play is a well-known ransomware gang that steals corporate data and holds it hostage — threatening to publish it on the dark web if the victim company doesn't pay up. When Krispy Kreme did not comply with Play's ransom demand, the entire batch of stolen employee data was published on Play's dark web leak page, accessible to anyone.

Krispy Kreme did not determine that employee personal information was actually affected until May 22, 2025 — nearly six months later. Notification letters were sent to employees around June 16, 2025.

Critically, the lawsuit alleges that Krispy Kreme never told employees that the Play ransomware group was responsible, and never disclosed that their stolen data had been published on the dark web. The notification letters omitted the root cause of the breach, the vulnerabilities exploited, and the specific remedial measures taken.

What Information Was Exposed?

The scope of this breach is unusually broad. The stolen data varies by individual but may include:

• Names
• Social Security numbers
• Dates of birth
• Driver's licenses or state ID numbers
• Financial account information
• Financial account access credentials
• Credit or debit card numbers
• Credit or debit card security codes (CVVs)
• Usernames and passwords to financial accounts
• Passport numbers
• Digital signatures
• Email addresses and passwords
• Biometric data
• USCIS or Alien Registration Numbers
• US military ID numbers
• Medical and health information
• Health insurance information

The lawsuit emphasizes that all of this data was stored unencrypted on Krispy Kreme's systems, making it trivially easy for the attackers to read and steal once they gained access.

Who Is Affected?

Approximately 161,676 current and former Krispy Kreme employees nationwide are affected. These are people who provided their personal information to Krispy Kreme as a condition of employment.

The 14 named plaintiffs in the consolidated complaint come from 11 different states: California, Florida, Kentucky, Michigan, New York, North Carolina, North Dakota, Ohio, Pennsylvania, South Carolina, Tennessee, and Texas — reflecting the nationwide scope of the breach.

If you received a data breach notification letter from Krispy Kreme dated around June 16, 2025, you are likely an affected class member.

Real-World Harm: What Employees Have Experienced

The lawsuit details disturbing, concrete harms that employees have already suffered. These are not hypothetical risks — this is identity theft that has already happened:

Fraudulent charges and financial theft:
• One plaintiff discovered an unauthorized DoorDash subscription ($17/month) draining her bank account for months, causing repeated overdrafts totaling ~$370 in fees
• Another had $571 charged to her Discover card that appeared as delinquent on her credit report, causing a personal loan application to be denied
• Multiple plaintiffs had fraudulent charges on their bank accounts and debit cards, forcing them to cancel cards and order replacements

Identity theft and account takeover:
• An unauthorized actor applied for a loan on FastLoan.com in one employee's name, which damaged his credit score even though the loan was denied
• One plaintiff received a letter from her bank thanking her for opening a new account she never opened
• An employee is now unable to use Venmo or Apple Pay because both apps can no longer verify his identity
• Multiple unauthorized attempts to log into employees' email and Google accounts

Targeted scams and harassment:
• One plaintiff's mother received a terrifying phone call claiming her daughter had been kidnapped and demanding ransom — the caller knew the employee's full name, address, and her mother's name and address
• A plaintiff received a scam call referencing the last four digits of her Fiserv account number, asking for her CVV code
• One employee receives 10-20 spam calls per day and 5-10 physical spam letters per week, causing her to miss a call about her son being injured because she assumed it was another scam

Emotional and psychological impact:
• One employee was forced to change his phone number due to the volume of spam
• A plaintiff reports waking up in the middle of the night with fear about unknown criminals accessing her data
• One employee described falling into depression as the financial progress he had been making was reversed by identity theft
• A minor employee (represented by her father) fears her credit will be destroyed before she turns 18 and can even check it

What Is the Lawsuit Alleging?

The consolidated class action complaint was filed on October 17, 2025 and brings three claims:

Count 1: Negligence / Negligence Per Se
Krispy Kreme failed to implement reasonable security measures as required by the FTC Act, HIPAA, and industry standards. The company stored sensitive employee data unencrypted, failed to monitor its networks, and failed to detect or prevent the breach. The complaint alleges Krispy Kreme violated the NIST Cybersecurity Framework Version 2.0 and CIS Critical Security Controls.

Count 2: Breach of Implied Contract
Employees provided their personal information as a condition of employment with the reasonable expectation that Krispy Kreme would protect it. Krispy Kreme's own privacy policy stated it takes "administrative, technical and organizational measures" to protect information. The company breached this implied agreement by failing to secure data and by providing inadequate breach notifications.

Count 3: Unjust Enrichment
Krispy Kreme enriched itself by cutting costs on data security — keeping employees' data unencrypted and poorly protected — while profiting from the collection and use of that data. The money Krispy Kreme saved on security came at employees' expense.

What Is Krispy Kreme Offering?

Krispy Kreme is offering affected employees free identity monitoring services through Kroll, which includes:

• Single Bureau Credit Monitoring: Alerts when changes appear on your credit file (new credit applications, etc.)
• Fraud Consultation: Unlimited access to Kroll fraud specialists who can help interpret suspicious activity and explain your rights
• Identity Theft Restoration: A dedicated Kroll licensed investigator will work on your behalf to resolve identity theft issues

To activate your monitoring, visit enroll.krollmonitoring.com and enter the membership number from your breach notification letter.

The lawsuit argues that these services are insufficient given the scope of the breach and the fact that the stolen data has been published on the dark web, where it will remain accessible indefinitely.

What Should I Do if I'm Affected?

If you are a current or former Krispy Kreme employee who received a data breach notification:

• Activate your free Kroll monitoring immediately at enroll.krollmonitoring.com
• Place a credit freeze with all three credit bureaus (Equifax, Experian, TransUnion)
• Place a fraud alert on your credit report by contacting any one of the three bureaus
• Monitor your financial accounts closely for unauthorized charges
• Change all passwords, especially for financial accounts, email, and any accounts where you reuse passwords
• Check your credit reports at annualcreditreport.com for accounts you don't recognize
• Report any identity theft to the FTC at IdentityTheft.gov
• Save all documentation of any losses, fraudulent charges, time spent, or expenses incurred

Given that the stolen data includes biometric data, passport numbers, and health information in addition to Social Security numbers and financial data, this is an extremely high-risk breach. The data on the dark web cannot be recalled, and the risk of identity theft will persist for years.

Is There a Settlement?

No. This is an active lawsuit with no settlement at this time. The consolidated class action complaint was filed on October 17, 2025. There is no claim form to submit yet.

If a settlement is reached in the future, affected class members will receive notice with instructions on how to file a claim. We will update this page as the case develops.

You do not need to take any action to join the lawsuit. If you are a current or former Krispy Kreme employee whose information was compromised, you are potentially a class member automatically.

How Do I Find Class Action Settlements?

Find all the latest class actions you can qualify for by getting notified of new lawsuits as soon as they are open to claims:

Case Information

• Case: In Re Krispy Kreme Data Security Litigation, Civil Action No. 3:25-CV-00434-MOC-SCR
• Court: United States District Court, Western District of North Carolina
• Complaint Filed: October 17, 2025
• Named Plaintiffs: Fortesa Bobo, Lily Peace, Jalisa Bogan, Sebastian Schug, Tyreese Banks, Maria Alvarez, Augusta Burkes, Joseph DosReis, Andy Lavor (on behalf of I.L.), Heather Robison, Duane Hopson, Kimberly Thompson, Suzzette Katzman, Phillip McLaughlin
• Defendant: Krispy Kreme Doughnut Corporation (Delaware corporation, Charlotte, NC)
• Interim Class Counsel: Kopelowitz Ostrow P.A.; Cole & Van Note; Milberg Coleman Bryson Phillips Grossman, PLLC

Consolidated Complaint

Sources

• Consolidated Class Action Complaint, In Re Krispy Kreme Data Security Litigation, Case No. 3:25-CV-00434-MOC-SCR (W.D.N.C.), filed October 17, 2025
• Krispy Kreme Data Breach Notification Letter (dated June 16, 2025)
• Office of the Maine Attorney General, Data Breach Notification (161,676 individuals)

About This Article

This article covers an active lawsuit that has not been settled. No claim form is available. OpenClassActions.com is a consumer news site and is not a law firm or party to this litigation. If you believe you have been harmed by this data breach, consult with an attorney.

For more class actions keep scrolling below.

Open Class Action Lawsuit and Class Action Settlement

Childrens' Video Game Addiction

Deadline: Pending

Submit Claim

DraftKings & FanDuel Addiction Lawsuits

Status: Open

Submit Claim

Kids Playing Roblox - Alleged Abuse

Pre-Qualify Here

Submit Claim

Acne Products Benzene Class Action Lawsuit

$990K Differin Acne Product Settlement

Deadline: May 19, 2026

Submit Claim

File a rebate form to get a coupon, refund, rebate, or payment from this class action settlement

$4.17M RevitaLash Conditioner Settlement

Deadline: April 20, 2026

Submit Claim

$87.5M Beef Prices Settlement

Deadline: June 30, 2026

Submit Claim

Dollar General Bait & Switch Settlement

Deadline: April 13, 2026

Submit Claim

Class Action Summary
Status	Active Lawsuit — No Settlement
Claim Form	None available — no settlement has been reached
People Affected	Approximately 161,676 current and former employees
Category	Data Breach / Employee Privacy / Ransomware
Data Breach Date	November 29, 2024
Notification Date	June 16, 2025
Complaint Filed	October 17, 2025
Case Number	3:25-CV-00434-MOC-SCR
Case Title	In Re Krispy Kreme Data Security Litigation
Court	U.S. District Court, Western District of North Carolina
Defendant	Krispy Kreme Doughnut Corporation
Attacker	Play ransomware group — stolen data published on dark web
Data Exposed	Names, SSNs, DOB, driver's licenses, financial accounts & credentials, credit/debit cards with CVVs, passwords, passport numbers, biometric data, military IDs, health & insurance info
Interim Class Counsel	Kopelowitz Ostrow P.A.; Cole & Van Note; Milberg Coleman Bryson Phillips Grossman, PLLC
Krispy Kreme Monitoring	Free Kroll identity monitoring — enroll.krollmonitoring.com