In its breach notification, the doughnut maker said that the types of information that were subject to unauthorized access vary by individual, but may include financial account information, credit or debit card information in combination with a security code, and email address and password. A full list is included at the bottom of the article.
The data of customers, current employees, former employees and the families of employees was accessed during the breach.
Krispy Kreme is a US doughnut manufacturer which also has a franchise operating in the UK and Ireland.
In response to the publication of the breach notification, senior manager of security operations at cybersecurity platform Huntress, Dray Agha, said the data collected by Krispy Kreme on its customers far exceeded was it required to sell doughnuts.
“Biometrics and digital signatures are especially concerning since they can’t be reset like passwords,” Agha continued.
“Storing credit card security codes, financial account passwords, and government IDs, such as passports, in the same systems is a major red flag. These should be strictly isolated. Mixing them made it easier for attackers to steal ‘full identity kits’ for fraud. Retaining CVV numbers (prohibited by card industry rules) and passwords in plaintext or weak encryption shows alarming gaps.
“Usernames and passwords also require robust encryption, which appears to have been overlooked. Krispy Kreme now faces lawsuits and fines, but the bigger damage is to customer trust: people expect retailers to protect their data, not stockpile it irresponsibly.”
Aimee Bush, principal data privacy consultant at Bridewell, added that the type of data leaked in this breach could cause significant harm to current and former employees.
“The biggest concern is that Krispy Kreme have confirmed that biometric data has been impacted, and whilst we don’t know which types of biometrics, unlike passwords, credit card numbers, and even digital signatures, we cannot easily change a fingerprint, or face, meaning a breach of this type of data could result in long-term and potentially irreversible damage,” Bush said.
“Whilst it’s difficult to comment on what security measures they had in place before the incident, or the root cause itself, there are some technical measures they could have taken to support protecting the information they were collecting.
“For example, using Biometric Privacy Enhancing Technologies to support ‘unlikability’, to make the link between the biometric template and the person they belong to more challenging, such as keeping the biometrics and other personal information segregated, or using ‘irreversibility’ so the biometric template can’t be reserve engineered and used for other purposes.”
Food Manufacture has reached out to Krispy Kreme for comment.
Full list of types of data accessed: name, social security number, date of birth, driver’s license or state ID number, financial account information, financial account access information, credit or debit card information, credit or debit card information in combination with a security code, username and password to a financial account, passport number, digital signature, username and password, email address and password, biometric data, USCIS or Alien Registration Number, US military ID number, medical or health information, and health insurance information.
