Payroll Services Provider UKG Agrees to $6 Million Settlement in Data-Breach Lawsuit

Payroll Services Provider UKG Agrees to $6 Million Settlement in Data-Breach Lawsuit
Company will compensate breach victims after 2021 ransomware attack

PepsiCo is among the companies that were affected by a software disruption resulting from the 2021 ransomware attack.
PHOTO: TINGSHU WANG/REUTERS
By James Rundle
July 12, 2023 4:36 pm ET | WSJ PRO
PRINT
TEXT
Payroll services provider UKG has agreed to settle a class-action lawsuit stemming from a cyberattack in 2021, capping a significant piece of litigation that emerged from the incident.

A ransomware strike in December 2021 forced parts of UKG’s Kronos Private Cloud product offline, disrupting software that tracked employee hours during the Christmas holiday period. Some personal information, including that of current and former employees and contractors, was breached during the attack.

PepsiCo, New York City’s Metropolitan Transportation Authority, British supermarket chain J Sainsbury and numerous healthcare organizations were among those affected by the shutdown.

NEWSLETTER SIGN-UP
WSJ Pro
Cybersecurity
Cybersecurity news, analysis and insights from WSJ's global team of reporters and editors.

PREVIEW
SUBSCRIBE
UKG was sued in January 2022 by employees of its clients, who brought nine causes of action. Allegations included negligence, unjust enrichment, breach of contract and violations of California privacy laws and others.

Under the terms of the settlement, which must be approved by a federal judge, members of the class will be entitled to compensation of up to $1,000 for losses from the data breach, and individuals who suffered fraud or identity theft will be entitled to up to $7,500 in damages.

UKG agreed to pay $5.5 million to cover claims and committed to provide an additional $500,000, if needed. The company has also agreed to improve its cybersecurity defenses, at an estimated cost of $1.5 million. The agreement doesn’t specify the measures UKG must put in place.

Lawyers for the class will seek up to 33.3% of the fund in fees, the settlement said.

UKG doesn’t admit any wrongdoing in settling the lawsuit, which alleged the company didn’t have reasonable or appropriate safeguards in place to prevent cyberattacks. UKG didn’t respond to a request for comment.

The cyberattack has spawned several other lawsuits, some against UKG and others from workers at affected companies who sued their employers over lost wages. A class-action lawsuit brought by PepsiCo workers was settled in December 2022, providing $12.75 million in damages. Ascension Health Alliance in St. Louis and one of its hospitals last year agreed to pay $19.7 million to settle disputes over employee wages following the UKG incident.

The settlement also compels UKG to disclose to plaintiffs how much information was breached by hackers, and how many people it affected. A hearing is scheduled for Nov. 17 in the U.S. District Court for the Northern District of California.