Tesla, PepsiCo workers bring lawsuit over UKG payroll outage
Lawsuits over the ransomware attack that hurt UKG payroll and timekeeping systems are being filed. Workers are claiming inaccurate pay during the outage.
Two workers, one at Telsa Inc. and the other at a PepsiCo Inc. subsidiary, are suing the Ultimate Kronos Group over paychecks short of what they earned. The lawsuit -- one of three filed -- is the start of legal consequences from the ransomware attack against the vendor's payroll and timekeeping systems.
A attack hit Ultimate Kronos Group (UKG) payroll and timekeeping systems Dec. 11, and prompted some customers to switch to manual processes, including paper. But in some cases, fixes like these relied on estimates of hours worked, which may have left some paychecks without overtime and holiday pay.
UKG said it is "ahead of schedule" in meeting its complete restoration date of Jan. 28. On Friday, it said services for more than 1,000 affected customers were "back online and ready for them to log-in." About 2,500 customers were affected by the attack.
The lawsuit, filed Tuesday in U.S. District Court in California, seeks class-action status. One plaintiff, William Muller, works as a truck driver in California for New Bern Transport Corp., an exclusive carrier and wholly owned subsidiary of PepsiCo. The other plaintiff is Antonio Knezevich, a truck driver in California for Tesla Inc.
The lawsuit claims the ransomware attack "crippled" payroll and timekeeping systems at PepsiCo and Telsa. As described in the suit, the apparent workaround was calculating wages based on averaging employee hours in the weeks before the breach.
But that practice "has proved woefully inadequate, resulting in Plaintiffs and employees like Plaintiffs not being fully paid for all time worked, not being paid overtime, being provided inaccurate wage statements or no wage statements at all," the lawsuit claims.
UKG isn't commenting on the lawsuits.
It is the third lawsuit seeking class-action status against UKG over its breach, and it's not the only risk the company faces.
The range of risks
Legal experts said that regulatory enforcement by federal and state agencies and governments abroad are another risk.
Michael ZweibackAttorney, Zweiback, Fiset & Coleman LLP
"The principal threat to the company is really going to come from regulators," said Michael Zweiback, a cybersecurity attorney at Zweiback, Fiset & Coleman LLP in Los Angeles.
From the perspective of regulators, "private companies are responsible for maintaining and hardening their networks against these international threat actors," Zweiback said.
Customers can also sue over breaches, but their contract with their vendor may limit them, said Layna Cook Rush, an attorney who leads the data incident response team Baker, Donelson, Bearman, Caldwell & Berkowitz P.C. in Baton Rouge, La. It's rare to see a SaaS provider like UKG "that doesn't have some type of limiting language in their contract," she said.
Between the litigation and possible regulatory action, the cost of responding to a break "can have a significant impact on your business -- it can cost a lot of money," Rush said.
Another lawsuit is against UKG and West Penn Allegheny Health System Inc., in Pittsburgh. The plaintiff, Larry Kroeck, is alleging pay discrepancies. It also seeks class-action status. A third lawsuit seeks class-action status over any cybersecurity risks posed by incident.
Patrick Thibodeau covers HCM and ERP technologies for TechTarget. He's worked for more than two decades as an enterprise IT reporter.