.png)
Kronos/UKG Ransomware 2021: Payroll Down for Thousands of Employers Over the Holidays
Breach Summary
The Kronos/UKG ransomware attack of December 2021 disrupted payroll processing for thousands of employers across the United States during the holiday period, preventing companies from paying their employees accurately and on time through the HR systems they depended on — demonstrating that HR technology ransomware attacks can have direct employee compensation consequences across an entire customer ecosystem.
What Happened
UKG discovered the ransomware on December 11, 2021 and took Kronos Private Cloud offline. Affected employers included PepsiCo, The New York Metropolitan Transportation Authority, Whole Foods, Constellation Brands, and approximately 2,000 others. Employers scrambled to implement manual payroll processes. Some failed to pay employees correctly or on time, generating wage and hour violations. UKG restored services beginning in late January 2022 — six weeks after the attack. Class action lawsuits were filed by employees who received incorrect paychecks.
Attack Vector Detail
Attackers compromised Ultimate Kronos Group's cloud HR and workforce management platforms using ransomware, encrypting the systems used by thousands of employers for time tracking, scheduling, and payroll processing. The attack affected Kronos Private Cloud, which hosted the HR systems of approximately 2,000 organizations. Affected organizations included hospitals, retailers, transit authorities, and local governments who could not process payroll through normal systems for weeks.
Breach Pattern Timeline
December 11, 2021
Ultimate Kronos Group (UKG) — major HR, payroll, and workforce management SaaS provider — detects unusual activity in Kronos Private Cloud environment. Activates incident response.
December 13, 2021
UKG publicly confirms ransomware attack against Kronos Private Cloud. Affects UKG Workforce Central, UKG TeleStaff, Banking Scheduling Solutions, and Healthcare Extensions products. Tens of thousands of customer organizations cannot process payroll, schedule employees, or access time-tracking data.
December 13-31, 2021
Affected customers — including Tesla, Whole Foods, MGM Resorts, Honda, GameStop, San Francisco MTA, City of Cleveland, NYU Langone Hospital, and thousands of healthcare systems, municipalities, and corporations — implement manual workarounds for payroll. Many switch to estimated paychecks.
December 2021 - January 2022
Recovery proceeds slowly. UKG provides daily updates but full restoration takes weeks. Healthcare organizations particularly affected as nursing schedules, contract worker management depend on UKG.
January 22, 2022
UKG announces restoration of most core Workforce Central functionality. Some customers continue partial workarounds for additional weeks.
February 2022
UKG confirms data exfiltration during the incident. Affected customer employees begin receiving breach notifications.
April 2022
Class actions filed by employees of affected organizations who experienced incorrect or delayed paychecks during the outage.
2022-2024
UKG class action settled for $6 million by City of Cleveland alone. Total industry-wide settlement and remediation costs exceed $200 million. UKG-Kronos becomes case study for SaaS HR-tech concentration risk.
Total impact: Tens of thousands of organizations + millions of employees affected, payroll processing disrupted for weeks at scale, $200M+ collective remediation/settlement costs, foundational precedent for SaaS HR/payroll concentration risk and the operational continuity question for vendor-managed business-critical services.
Executive Lessons
Kronos established that payroll infrastructure — often treated as a commodity IT function — is in fact critical infrastructure whose unavailability can create legal and financial consequences for employers across entire industries. The 13-week outage forced employers to manually process payroll, with associated errors and labor law compliance risks. For PE sponsors, the Kronos breach reinforced that third-party vendor concentration risk in critical HR and payroll functions requires explicit business continuity planning.
Related Reading
Private Equity Implications
The Kronos attack illustrates that HR technology SaaS platforms are critical business infrastructure whose unavailability directly affects employee compensation and regulatory compliance. For PE portfolio companies, SaaS provider dependency analysis should identify HR technology providers and assess what manual payroll backup procedures would be required if the SaaS platform became unavailable for two to six weeks. SaaS provider contracts should include business continuity and recovery time objective commitments.