HomeIntelligenceBrief
BREACH BRIEF🟠 High Breach

Krispy Kreme Data Breach Settlement Deadline Approaches; Eligible Customers Can Claim Up to $3,500

A 2023 cyber‑attack on Krispy Kreme’s loyalty platform exposed personal and payment data of millions of members. The company has agreed to a class‑action settlement allowing qualified claimants to receive up to $3,500, with a filing deadline of June 22, 2026. Third‑party risk managers should assess exposure, validate controls, and update vendor risk registers.

LiveThreat™ Intelligence · 📅 May 29, 2026· 📰 techrepublic.com
🟠
Severity
High
BR
Type
Breach
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
3 recommended
📰
Source
techrepublic.com

Krispy Kreme Data Breach Settlement Deadline Approaches; Eligible Customers Can Claim Up to $3,500

What Happened – A 2023 cyber‑incident exposed personal and payment information of millions of Krispy Kreme loyalty‑program members. The company reached a class‑action settlement that allows qualifying individuals to receive compensation of up to $3,500. Claims must be filed by June 22, 2026.

Why It Matters for TPRM

  • Third‑party vendors handling consumer‑grade data can become vectors for large‑scale credential and payment‑card exposure.
  • Settlement deadlines create a narrow window for affected organizations to assess downstream risk to their own customers and partners.
  • Ongoing litigation may result in additional regulatory scrutiny and future compliance obligations for the vendor.

Who Is Affected – Retail & E‑commerce (doughnut chain), Loyalty‑program providers, Payment‑card processors, and any downstream partners that integrated Krispy Kreme’s API or data feeds.

Recommended Actions

  • Verify whether your organization consumes any Krispy Kreme‑hosted APIs, data feeds, or shared loyalty‑program services.
  • Review the breach notification you received (if any) and confirm the scope of exposed data fields.
  • Ensure that any stored customer payment data from Krispy Kreme is encrypted, tokenized, and that PCI‑DSS controls are enforced.
  • Update third‑party risk registers to reflect the breach, its remediation status, and any contractual obligations for indemnity.

Technical Notes – The breach was attributed to a credential‑theft attack on an internal admin portal, leading to unauthorized export of loyalty‑program member records (names, email addresses, phone numbers, and partial payment‑card details). No public CVE was associated. Source: TechRepublic

📰 Original Source
https://www.techrepublic.com/article/news-krispy-kreme-data-breach-settlement-claims-deadline/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Access is where most audits get tested.

Verisq AI Trust Operations maps incidents like this to your access controls and collects the evidence continuously, keeping your SOC 2 posture defensible.

See where you'd stand with Verisq AI Trust Operations →