Krispy Kreme set to pay thousands in data breach settlement money before deadline
If Krispy Kreme sent you a notice about a data breach affecting your personal information, there is money available for you to collect. A $1.6 million class action settlement tied to a November 2024 ransomware attack is offering cash payments to more than 161,000 affected individuals.
The breach exposed Social Security numbers, financial account access information, and other sensitive records belonging to current and former employees and their families. Filing a claim could put as much as $3,500 in your pocket if you have documented losses from identity theft or fraud.
The filing deadline is June 22, 2026, giving affected individuals less than a month to act before the window closes permanently.
Krispy Kreme's $1.6 million settlement offers two tiers of cash payments
The settlement received preliminary court approval on March 5, 2026, and establishes a total fund of $1,616,760 for eligible class members nationwide. Individuals who received a data breach notification from Krispy Kreme are automatically included in the settlement class, according to the official settlement website.
Those who can provide documentation of financial losses directly tied to the breach are eligible for reimbursement of up to $3,500 from the fund. Qualifying expenses include unreimbursed bank charges, credit monitoring costs, and time spent resolving identity theft issues, according to the settlement website.
Class members who cannot document specific financial harm can still file for an alternative cash payment of approximately $75 from the settlement fund. That figure may shift up or down on a pro rata basis, depending on the total number of claims filed, the settlement website explained.
Every eligible individual can also receive one year of free credit monitoring, regardless of whether they pursue a separate cash payment through the settlement. Activation codes for that service were mailed on postcard notices to class members on March 25, 2026, the settlement website confirmed.
How the November 2024 Krispy Kreme cyberattack unfolded
Krispy Kreme identified unauthorized access to its IT infrastructure on Nov. 29, 2024, and reported the incident to the Securities and Exchange Commission on Dec. 11, BleepingComputer reported. The intrusion disrupted online ordering across multiple U.S. locations for weeks during the holiday shopping season.
The Play ransomware gang, which the FBI has identified as one of the most active ransomware groups of 2024, claimed responsibility for the attack in late December 2024. The criminal group reportedly stole 184 gigabytes of data from the company's network before Krispy Kreme secured its systems, according to SecurityWeek.
More Personal Finance:
- Fidelity has a warning for anyone who left a 401(k) at an old job
- Living trusts: what they do and who needs one
- Fidelity sounds alarm on 401(k)s, IRAs
The financial toll on Krispy Kreme extended well beyond the settlement, with the company estimating approximately $11 million in lost U.S. revenue from the incident, primarily due to disruptions to online ordering.
An additional $4.4 million went toward cybersecurity remediation and expert consulting fees, according to Krispy Kreme's May 2025 earnings report. The compromised data included deeply sensitive information extending far beyond names and email addresses for the 161,676 people affected by the breach.
Social Security numbers, financial account information, and driver's license numbers were exposed, BleepingComputer reported. Passport numbers and health insurance information were also among the compromised data, according to Krispy Kreme's state attorney general filings, as reported by SecurityWeek.
Filing deadlines and how to submit a Krispy Kreme settlement claim
The final day to submit or postmark a claim form is June 22, 2026, leaving affected individuals just weeks to take action before the window closes. Claims can be filed online at krispykremedatasettlement.com or mailed to the settlement administrator in Portland, Oregon, according to the settlement website.
A separate deadline of June 6, 2026, applies to anyone who wants to exclude themselves from the settlement entirely and preserve the right to pursue independent legal action. That same date serves as the cutoff for filing formal objections to any of the settlement terms, the settlement website stated.
Consumers must move from reacting to acting…Freezing your credit and transitioning to passkeys are the foundational requirements for digital safety. Businesses should prioritize transparency over liability mitigation… .
The Honorable Max O. Cogburn Jr. of the U.S. District Court for the Western District of North Carolina will preside over the final approval hearing on July 6, 2026. Cash payments will not be distributed until after that hearing concludes, and any potential appeals are resolved, the settlement website indicated.
Anyone uncertain about their eligibility can contact the settlement administrator directly by calling 877-239-1879 for assistance with claim forms and related questions. The settlement website also provides downloadable forms and a complete copy of the settlement agreement for individuals who want to review the full terms.
Why do many breach victims never file claims?
The Krispy Kreme settlement follows a pattern that identity theft experts say repeats across dozens of major corporate data breaches every single year in America.
"Most people know what they should do, but choose not to in the areas of data protection and password practices," said Eva Velasquez, CEO of the Identity Theft Resource Center.
Research from the center found that 16% of consumers who received a breach notification took no action. Many cited a belief that their data was already exposed elsewhere or that the breached company would resolve the issue on their behalf.
The center's 2024 Annual Data Breach Report documented a near-record number of data compromises, with more than 1.7 billion individual victim notices issued in one year. "We are also seeing an increase in notices that provide limited actionable information for victims," Velasquez warned in the report.
Larger data breach settlements have paid out significantly more in recent years, with T-Mobile agreeing to pay $350 million and Capital One agreeing to pay $190 million in separate class actions.
The Krispy Kreme fund is a fraction of those, but the pattern is the same: a breach, a notification letter, a settlement window, and a deadline most affected people never act on. For the 161,676 people notified by Krispy Kreme, that deadline is June 22.
Related: Krispy Kreme announces limited-time offer at crucial time
The Arena Media Brands, LLC THESTREET is a registered trademark of TheStreet, Inc.
This story was originally published May 25, 2026 at 8:33 PM.