Krispy Kreme data hacking settlement value? About 6 dozen original glazed doughnuts

Victims of a major 2024 hacking attack on Krispy Kreme Inc. may qualify for up to $75 in damages, or about the cost of six dozen original glazed doughnuts.

The company agreed in January to pay $1.62 million to settle a federal class-action lawsuit affecting nearly 162,000 people.

That includes at least 19,665 North Carolinians, according to the Krispy Kreme security breach report to the N.C. Attorney General's Office. The lawsuit sought at least $5 million in damages.

This week, Krispy Kreme posted an update on the proposed settlement agreement in the U.S. District Court for the Western District of North Carolina. The settlement covers the period of Nov. 29, 2024, to June 22, 2026. The latter date is the deadline for filing a claim.

Krispy Kreme disclosed in a June regulatory filing that the data breach affected mostly Krispy Kreme employees, former employees and their families, all of whom are receiving notifications.

Those eligible for a settlement payment are "a living individual residing in the United States and sent a notice of the data incident indicating that your private information may have been impacted."

The company said in May that information subject to unauthorized access varies by individual but may include personal identification, financial accounts, biometric data, health insurance information, and usernames and passwords.

The court will decide whether to approve the settlement on July 6.

Krispy Kreme has offered credit monitoring and identity protection services at no cost to affected individuals.

Krispy Kreme disclosed in February 2025 that it had an $11 million financial impact in the fourth quarter from the hacking incident, which at that time mostly affected customers' ability to place digital and online orders.

Krispy Kreme said some of the $11 million is expected to be covered by cybersecurity insurance.

In January, Murphy Law Firm of Oklahoma City provided details about the hacking incident in a news release intended to solicit potential lead plaintiffs.

The law firm said the ransomware group known as Play took credit for the attack, claiming to have stolen 184 gigabytes worth of data, including personal information, client documents and financial information.

To put the data breach exposure into context, a gigabyte is a unit of digital information storage equivalent to 1 billion bytes.

The group claims to have made this data public on their Tor-based leak website in December.

"As a result of the data breach, these individuals' personal and highly sensitive information may be in the hands of cybercriminals, who can place the information for sale on the dark web or use the information to perpetrate identity theft," the law firm said.

Copyright 2026 Tribune Content Agency. All Rights Reserved.