A class-action lawsuit against Ultimate Kronos Group claimed the company's recent ransomware attack exposed the personal data of millions of customer employees.
The lawsuit against UKG, which was filed on March 4, slammed the payroll service provider for its response to a ransomware attack in December. The attack disrupted the Kronos Private Cloud and knocked client payroll systems and other services offline for an extended period of time.
UKG later disclosed that attackers had also stolen "a relatively small volume of data" that was limited to just two customers. However, the class-action lawsuit claims the Kronos breach "exposed millions of workers' sensitive and confidential personal identifying information ('PII') to cybercriminals."
Inside the lawsuit
Adam Bente, the filing plaintiff in the suit, is a current employee of the Family Health Centers of San Diego (FHCSD). According to the suit filed with the U.S. District Court for the Southern District of California, FHCSD has over 1,800 employees, all of whom suffered from some form of a delay in receiving paychecks following the attack on UKG.
The Law Offices of Ronald A. Marron is the team representing Bente and the rest of the class members in the lawsuit.
"Plaintiff, like all Class Members, was delayed payment of his paycheck following the data breach," the lawsuit stated. "Plaintiff, like all Class Members, has lost time and expenses from having to mitigate the consequences of the delay in payment of his paychecks."
The suit identifies potential class members as anyone impacted by the ransomware attack, whether it be due to a delay in payment or a risk of data exposure. These people could be employees at any of the hundreds of organizations that use UKG's software and services.
According to the filing, the timing of the incident aggravated the pain that many of the victims felt from this attack.
"The timing of the data breach could not have come at a worse time, leaving many employees to worry over their privacy and paychecks during the peak of the holiday season as well as the latest surge of the COVID-19 pandemic."
When it comes to why UKG is at fault in this case, the suit identifies a poor cybersecurity system as the main reason for the ransomware attack.
"As a result of its lack of adequate security measures, UKG was attacked by hackers who launched a ransomware attack on UKG's timekeeping system, Kronos Private Cloud, on or around December 11, 2021," the suit stated.
The suit claimed that as ransomware attacks and cyber attacks have risen around the world over the past years, UKG had the information and ability to create a strong cybersecurity system, which it failed to do, potentially exposing the data of millions and stalling paychecks to workers during a time of great need.
Data breach questions
The second major aspect of this suit was the risk that the plaintiff faced as a result of the Kronos breach itself. According to the suit, as a workforce management service, UKG collects and stores PII such as names, addresses, email addresses, Social Security numbers and other sensitive employment data.
"As a direct and foreseeable result of UKG's negligent failure to implement and maintain reasonable data security procedures and practices and the resultant breach of its systems, Plaintiff and Class Members also suffered harm in that their sensitive PII has been exposed to cybercriminals and they now have an increased risk and fear of identity theft and fraud," the lawsuit claimed.
At the time of the attack, UKG informed customers that may have had data exposed by the incident but could not yet confirm the extent. In some cases, it was weeks or months before victims knew if their information was secure.
According to the lawsuit, one issue for Bente was that throughout the data recovery and analysis process, UKG could not identify exactly whose data was exposed, what data was exposed and whether it was actually misused.
One section of the filing refers to frequent announcements by UKG regarding the exposed data. According to UKG, just two of its customers had employee data stolen, but the suit pointed out that "UKG admits its forensic investigation is still ongoing."
The most recent update on UKG's website, published on March 4, said the company had completed the investigation into the data breaches and reaffirmed that only two of its customers had data stolen.
The closing statement of UKG's update attempted to provide some closure for customers, stating "if you have not heard from us directly, you can feel confident that we have found no evidence that any personal data of individuals associated with your organization was exfiltrated."
But the lawsuit claimed "millions" of customer employees had their data exposed in the Kronos breach. Specifically, Bente said he has experienced several problems in the wake of the breach that he believes stem from the attackers obtaining his PII.
"Since the data breach, Plaintiff has received on average, per day 5-6 spam calls to his cell phone and countless spam e-mails. Further, shortly after the data breach, Plaintiff received a notification from his credit card company that his Social Security number had been discovered on the dark web. Upon information and belief, Plaintiff's Social Security number, cell phone number and e-mail address were exfiltrated by the hackers who obtained unauthorized access to Plaintiff's and Class Members' PII."
According to the lawsuit, Bente saw this extended investigation process and lack of concrete confirmation either way as a great cause of stress and fear throughout this process on top of the issues with pay.
"Plaintiff and Class Members continue to suffer injury as a result of the compromise of PII and remain at imminent risk that further compromises of their PII will occur in the future," the suit stated as one of its claims for relief.
Some organizations, like athleticwear company Puma and New York's Metropolitan Transportation Authority, were definitively told that their information was stolen. Puma and the 6,632 employees who had personal data stolen as a result of the attack were cited in the suit.
This lawsuit was not the first one filed against UKG following the ransomware attack. In January, employees of Tesla and Pepsi filed a suit in regard to the payroll outages that their companies suffered.
Pepsi's case was also mentioned in Bente's lawsuit, which claimed the soft drink giant had employee information misused following the data breach and experienced spam and phishing attacks.
"Online sources indicate that PepsiCo employees' PII was also stolen during the data breach. PepsiCo employees impacted by the breach have reported hacking of their banking information in the weeks following the breach."
The suit concluded with the remainder of the claims for relief as well as the relief requested by the plaintiff and the other class members. In total, there are nine counts under the claims for relief, featuring alleged violations of five California laws, including the California Consumer Privacy Act.
The relief requested consisted of eight points. If the court rules in favor of the plaintiff, UKG must provide "an award to Plaintiff and the Class of compensatory, consequential, nominal, statutory, and treble damages as set forth above," and must ensure that UKG will strengthen its cybersecurity systems and notify customers in a timely fashion if their data may be at risk of exposure.
UKG declined to provide further comment to SearchSecurity regarding this pending case.
The Law Offices of Ronald A. Marron could not be reached for comment.