Dive Brief:
- UKG reached an agreement to settle a class-action lawsuit for up to $6 million for individuals impacted by a 2021 ransomware attack that disrupted the payroll services provider’s Kronos Private Cloud service.
- The ransomware attack, which impacted multiple UKG customers such as Tesla, PepsiCo, Whole Foods and New York City’s Metropolitan Transportation Authority, hindered some customers’ ability to process payroll.
- A series of class-action lawsuits were filed by employees of UKG customers, including a group of individuals whose data was stolen during the ransomware attack. As part of the proposed settlement, UKG “denies any wrongdoing."
Dive Insight:
The settlement, which awaits final approval, underscores the extent to which third-party vendors can be held financially liable for cyberattacks that impact the employees of their customers’ customers.
The ransomware attack disrupted the payroll for at least a month for more than 16,000 employees at UMass Memorial Health, which later settled a separate lawsuit for wage and hour claims for $1.2 million.
The lawsuits hit UKG with allegations of negligence, breach of contract and privacy law violations.
UKG agreed to provide up to $6 million for class member claims. The preliminary settlement agreement in the U.S. District Court for the Northern District of California, which must be approved by a federal judge, entitles class members up to $1,000 for ordinary losses, which include bank fees or credit monitoring losses. Individuals who suffered fraud or identity theft may seek up to $7,500, according to the court filings. The Wall Street Journal previously reported details of the proposed settlement.
The settlement covers current or former employees or contractors of UKG customers whose data was stored in Kronos Private Cloud at the time of the attack and who were impacted by service disruptions.
UKG also agreed to spend approximately $1.5 million to improve its cybersecurity defenses.