Krispy Kreme Data Breach Settlement Deadline Approaches; Eligible Customers Can Claim Up to $3,500
What Happened – A 2023 cyber‑incident exposed personal and payment information of millions of Krispy Kreme loyalty‑program members. The company reached a class‑action settlement that allows qualifying individuals to receive compensation of up to $3,500. Claims must be filed by June 22, 2026.
Why It Matters for TPRM –
- Third‑party vendors handling consumer‑grade data can become vectors for large‑scale credential and payment‑card exposure.
- Settlement deadlines create a narrow window for affected organizations to assess downstream risk to their own customers and partners.
- Ongoing litigation may result in additional regulatory scrutiny and future compliance obligations for the vendor.
Who Is Affected – Retail & E‑commerce (doughnut chain), Loyalty‑program providers, Payment‑card processors, and any downstream partners that integrated Krispy Kreme’s API or data feeds.
Recommended Actions –
- Verify whether your organization consumes any Krispy Kreme‑hosted APIs, data feeds, or shared loyalty‑program services.
- Review the breach notification you received (if any) and confirm the scope of exposed data fields.
- Ensure that any stored customer payment data from Krispy Kreme is encrypted, tokenized, and that PCI‑DSS controls are enforced.
- Update third‑party risk registers to reflect the breach, its remediation status, and any contractual obligations for indemnity.
Technical Notes – The breach was attributed to a credential‑theft attack on an internal admin portal, leading to unauthorized export of loyalty‑program member records (names, email addresses, phone numbers, and partial payment‑card details). No public CVE was associated. Source: TechRepublic