The deadline to file a claim in the Krispy Kreme data breach settlement is Saturday, June 21, and anyone who received a notification letter has only days left to act. The settlement offers up to $3,500 per person for documented out-of-pocket losses tied to the late 2024 cyberattack that knocked out the doughnut chain’s online ordering system for weeks and exposed the personal information of more than 161,000 people.
Krispy Kreme first disclosed the breach to investors in a December 2024 securities filing, calling it a material event. A separate notification to the Maine Attorney General’s office confirmed that 161,676 individuals were affected nationwide.
Here is what affected consumers need to know about the settlement, what qualifies for reimbursement, and how to file before the window shuts.
What happened in the Krispy Kreme breach
In late November 2024, Krispy Kreme detected unauthorized access to portions of its IT infrastructure. The intrusion disrupted online ordering across parts of the United States, forcing customers to place orders in person while the company worked with outside cybersecurity firms to isolate and remediate the attack. In-store sales and deliveries to grocery and convenience partners continued, but the digital side of the business was hobbled for several weeks.
By December 2024, Krispy Kreme had begun sending notification letters to affected individuals and reporting the breach to state regulators. The Maine Attorney General’s breach reporting database, which requires companies to disclose incidents affecting state residents, lists the confirmed count at 161,676 people notified.
The specific categories of compromised data vary by individual. Breach notification letters sent to affected consumers detail what was exposed in each case, and recipients should review their letters carefully. In incidents of this type, compromised data can range from names and contact information to Social Security numbers or financial account details.
What the settlement covers
This settlement is built around documented, out-of-pocket losses, not automatic flat payments. That means claimants need receipts or records showing actual expenses connected to the breach. Eligible costs include:
- Credit monitoring services purchased after receiving the breach notification
- Bank fees triggered by unauthorized transactions on compromised accounts
- Costs of placing or lifting credit freezes and fraud alerts
- Identity theft recovery expenses such as notarization fees, postage, or replacing government-issued documents
- Time spent dealing with fraud or contacting financial institutions, reimbursed at a fixed hourly rate specified in the settlement terms
The $3,500 cap is a ceiling, not a guarantee. Reaching it requires substantial, well-documented harm. Someone who spent a few hours monitoring accounts and placed a credit freeze will likely recover far less. Those who suffered no measurable financial impact may still qualify for limited compensation for time spent, but the payout in those cases tends to be modest.
How to file a claim before June 21
Filing follows a straightforward process, but with the deadline on Saturday, speed matters more than perfection. Here is what to do:
1. Confirm your eligibility. Your notification letter from Krispy Kreme or the settlement administrator is the key document. It contains a unique claim number and a link to the official settlement website. If you believe you were affected but never received a letter, contact the claims administrator directly using the information on the settlement site.
2. Gather your documentation. Collect receipts, bank statements, credit monitoring invoices, and any records of expenses you incurred because of the breach. If you spent time on the phone with banks or credit bureaus, note the dates, approximate hours, and what you were resolving. Imperfect records are better than none.
3. Submit your claim online. The settlement website, linked in your notification letter, has a claims portal for electronic filing. Paper claims by mail are also accepted, but with only days remaining, online submission is the only realistic option.
4. Save your confirmation. After filing, keep a copy of your claim confirmation number and any receipt the portal generates. If a dispute arises later about whether you filed on time, that record is your proof.
Why most claimants won’t collect the full $3,500
Low participation is the norm in data breach settlements. Across years of class action cases, only a small fraction of notified individuals ever file claims, and fewer still collect the maximum. Several factors drive that pattern, and the Krispy Kreme case is no exception.
Many affected people never open the notification letter or assume it is junk mail. Others lack the documentation the settlement requires. And because settlement funds are finite, if total approved claims exceed the pool, individual payouts shrink proportionally. With 161,676 people notified, even a modest filing rate could stretch the available money thin, depending on the total fund size, which has not been disclosed in the primary public filings reviewed for this article.
That said, people with clear documentation of real losses, such as bank fees from unauthorized charges or money spent on credit monitoring, stand the best chance of meaningful recovery. The settlement rewards specificity: the more detailed your records, the stronger your claim.
What public filings reveal and where the gaps are
Two primary sources anchor the public record on this case. The Maine Attorney General’s breach reporting database provides the confirmed count of affected individuals and the company’s disclosure timeline. Krispy Kreme’s SEC filing confirms the company treated the breach as material to its business and investors.
What those filings do not contain are the granular settlement terms: the total fund size, the precise eligibility rules, or the court order establishing the June 21 deadline. That information lives in the court-approved settlement agreement and the class action notice mailed to affected individuals. Anyone who wants to review the full terms should check their notification letter for the settlement website URL or the court case number and search the relevant court’s electronic docket.
Days left to file, not weeks
Saturday, June 21, is a hard cutoff. Claims submitted after that date will almost certainly be rejected, no matter how strong the supporting documentation. For the 161,676 people whose information was compromised in the Krispy Kreme breach, this week is the last realistic window to recover any compensation.
If you received a notification letter and have not yet filed, treat this as urgent. Pull together whatever records you have, submit your claim online, and save the confirmation. The process takes less than an hour for most people, but the opportunity disappears on Saturday.



