Kronos Operator UKG Hit with Class Action After December 2021 Data Breach

New to ClassAction.org? Read our Newswire Disclaimer

Workforce management software company UKG, Inc. faces a proposed class action after its ubiquitous Kronos timekeeping system was hacked last December.

The 43-page lawsuit alleges that UKG (Ultimate Kronos Group), whose clients include the likes of PepsiCo, Tesla, GameStop, the University of California, Santa Clara (California) County and numerous hospital and healthcare organizations, failed to implement adequate cybersecurity measures to safeguard the sensitive information with which it was entrusted. According to the case, the December 11, 2021 ransomware attack not only exposed the personal information of millions of workers but crippled UKG clients’ timekeeping and payroll systems, which allegedly caused employees to be paid late or incorrectly.

The plaintiff says his employer, Family Health Centers of San Diego, a nonprofit healthcare clinic provider, had to delay paying workers as a result of the breach, which the suit says “could not have come at a worse time” given the holiday season and COVID-19 pandemic were in full swing. As the suit tells it, even after Family Health Centers started distributing paychecks, many employees were paid “inaccurately and/or not at all.”

The lawsuit alleges UKG’s failure to protect client data has exposed consumers to a heightened risk of identity theft and fraud, not to mention the effects of lost wages.

According to the case, UKG announced on its website on December 11 that the Kronos Private Cloud—which includes UKG Workforce Central, UKG TeleStaff, Healthcare Extensions, and Banking Scheduling Solutions—had been hit by a ransomware attack. The suit claims that the data breach was a direct result of UKG’s failure to implement adequate security measures, including best practices recommended by the FBI.

Per the suit, the defendant’s failure to safeguard the personal information of its clients’ employees has been “exacerbated by repeated warnings and alerts” from both public and private institutions that companies such as UKG, who store “massive amounts” of consumer data on cloud-based systems, are particularly vulnerable to cyberattacks.

“Accordingly, UKG knew or should have known that it was a prime target for hackers,” the complaint contends.

The lawsuit claims that although UKG had the resources to invest in adequate data security, it failed to do so.

“UKG failed to undertake adequate analyses and testing of its own systems, training of its own personnel, and other data security measures to ensure vulnerabilities were avoided or remedied and that Plaintiff’s and Class Members’ data were protected,” according to the complaint.

The suit states that as of the date that the complaint was filed, almost two months after the breach occurred, “UKG’s systems remain disabled, its systems remain unsecured, and the harm resulting from the data breach remains unrectified.”

The lawsuit looks to represent U.S. citizens whose personal information was exposed as a result of the Kronos data breach, and U.S. citizens whose paychecks were paid late, inaccurately or not at all due to the incident.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.