Published September 25, 2025 
read
Kronos data breach: what to know about the ransomware attack and its consequences
When payroll systems stop working, employees miss paychecks, benefits are delayed, and businesses are left scrambling. That’s what happened when Kronos, a workforce management platform, was hit by a ransomware attack in December 2021. The Kronos data breach disrupted payroll systems across thousands of U.S. organizations and left millions at risk.
Many employers faced litigation over the cyberattack, and the fallout extended beyond the company itself. This article explains what happened during the Kronos attack, how the company responded, and what data was exposed. We’ll also discuss any legal actions following the incident and steps you can take to protect yourself.
What is Kronos, and why was it targeted?
Kronos is a time-and-attendance software used by thousands of businesses across healthcare, retail, government, manufacturing, and education. The platform handles essential business tasks around scheduling, timekeeping, and payroll processing. While an exact number isn’t available, over 80,000 organizations rely on Kronos to pay their employees on time.
The employee data Kronos stores makes it an attractive target for cybercriminals to increase their leverage and exploit millions of employees. Aside from identity theft, threat actors disrupt payroll services to force companies to pay ransoms or rush recovery efforts.
What we know about the Kronos ransomware attack
Timeline of events
The Kronos data breach unfolded from mid-December 2021 to January 2022, but spread across the workforce for years afterward. An official disclosure to the American Hospital Association communicated the impact on the Kronos Private Cloud (KPC) service. The table below highlights the milestones of the incident.
| Date/Time Period | Event |
|---|---|
| December 11th, 2021 | UKG detected unusual activity in its KPC environment and confirmed a ransomware attack affected its cloud services. |
| Mid Dec. 2021 – Jan. 2022 | The company sent disclosures to customers, warning that systems may be offline for weeks, and urging employers to use alternatives. Temporary solutions included estimating hours and paper checks. |
| January 28th, 2022 | UKG issued limited recovery updates, completed by the end of January. |
How did the Kronos data breach happen?
The Kronos breach exposed how multiple security gaps can open the door for attackers. The following risks, also seen in other high-profile incidents, highlight the common weaknesses organizations face:
- Unpatched software and known vulnerabilities – Ransomware groups constantly scan for flaws listed in public CVE databases. Just one unpatched weakness can give attackers a way in. The Mother of all Breaches highlighted how ignoring known vulnerabilities greatly increases the risk of cyberattacks.
- Weak credentials (phishing/credential stuffing) – Cybercriminals reuse stolen login details to break into sensitive systems. The Spectrum data breach showed how compromised credentials can lead to larger security breaches.
- Third-party compromise – Threat actors target trusted vendor integrations to infiltrate and exploit their weaknesses. The Walmart data breach revealed just how supply-chain vulnerabilities increase the risks for consumers.
- Insider threats and contractor misuse – Representatives with privileged access can accidentally or intentionally expose sensitive data. The USAA data breach is a reminder of how contractor mishandling compromises client data.
Threat actors behind the Kronos hack targeted KPC systems, including:
- Healthcare extensions – These are scheduling and staffing tools for hospitals and healthcare systems to manage clinical staff coverage.
- Banking scheduling solutions – The KPC workforce management solutions help banks and other financial institutions coordinate their staff.
- UKG Workforce Central – A workforce management suite designed with analytics for larger employers’ timekeeping and payroll needs.
- UKG TeleStaff – A staffing solution typically used by public safety and government organizations, including police, fire, and emergency services, to schedule shifts.
The Kronos data breach didn’t impact UKG Ready, UKG Dimensions, or UKG Pro. On its privacy and data protection page, UKG’s privacy program aligns with SOC 1, SOC 2, ISO 27001, ISO 27017, and ISO 27018 standards. The company also used multi-factor authentication, encrypted data, and a secure file transfer system.
How Kronos responded to the hack
Following the Kronos security breach, UKG posted daily updates on its customer portal, stating that complete restoration of KPC was expected by January 28, 2022, but pacing would vary based on system complexity. To manage customer expectations, UKG assigned a recovery liaison to each organization as they restored services. Representatives validated critical functions of integrations, user interfaces, and data collection functions to ensure they were working correctly.
The company also strengthened its security by:
- Expanding scanning and monitoring programs
- Deploying additional malware tools
- Increasing cold-storage backups
Impact of the Kronos cyber attack
What information was compromised
The Kronos data breach exposed employee names, addresses, employee IDs, and the last four digits of their Social Security numbers.
How many businesses and employees were affected?
It’s estimated that over 40 million employees were affected by the Kronos breach. NPR reports that major companies, including PepsiCo, FedEx, and Whole Foods, were impacted by the Kronos outage. Some organizations reported their issues to local news outlets:
- According to a San Angelo Standard Times report, Shannon Medical Center in San Angelo, Texas, was affected by the breach and was forced to activate payroll downtime processes to keep staff on schedule.
- WKYC Studios spoke with the City of Cleveland, confirming its timekeeping services were compromised.
Payroll disruptions and operational consequences
The Kronos cyber attack didn’t just force organizations to use manual processes, payroll teams had to maintain automated processes by hand. Manual stopgaps created errors, which translated into delayed overtime, pay corrections, and increased anxiety, as holiday stress affected employees and their families.
Public fallout of the Kronos breach
It’s been a month, they hired Mandiant, the impact was huge. At what point do we get insight into the attack, IoCs, ingress data, etc?
Another outcome of the Kronos outage is the visible anger among online Reddit communities for IT staff, HR administrators, and employees. On Reddit, users criticized UKG’s lack of transparency and complained about the extended recovery timing.
Others feared that Kronos could be hiding critical data about malware and ongoing vulnerabilities.
Still others discussed the cause of the breach, suspecting the unpatched Log4J vulnerability, leading to a broader belief that the Kronos ransomware attack happened because of a known vulnerability.
Legal action: Kronos data breach class action and settlement details
A consolidated class action lawsuit was filed alleging that UKG failed to implement the appropriate cybersecurity safeguards, violated data privacy laws, and failed to manage customer data responsibly. The table below explains the key details of the lawsuit and settlement agreement.
| Key Details | Description |
|---|---|
| Class action case & jurisdiction | In re: UKG, Inc. Cybersecurity Litigation, Northern District of California |
| Class members | Current/former employees or contractors of UKG clients whose data was stored in KPC. |
| Allegations | Negligence: UKG failed to protect user data.Breach of contract: The company violated state privacy laws and California statutes. Unjust enrichment, invasion of privacy, and more. |
| Settlement amount | $6,000,000 |
| Payments to class members | Up to $1,000 for unreimbursed losses.Up to $7,500 for documented extraordinary loss, like identity theft and fraud.Additional payments of $100 and credit monitoring services were provided to California residents and exfiltration-notice recipients. |
| Non-monetary terms | UKG agreed to enhance its cybersecurity measures and bolster online privacy protections. The estimated cost of improvements was ~$1.5 million. |
| Timelines & deadlines | Deadline to file claims: October 3rd, 2023.Deadline to exclude/object: September 18th, 2023.Final hearing: November 17th, 2023. |
Affected individuals received an average payment of $760.81 after all applicable court fees. The Kronos hack also triggered legal action against many of the affected employers. In April 2022, Cargill employees sued the food corporation; Futrell v. Cargill ended in a $2.4 million settlement, which was approved in 2024.
Why do data breaches matter even if you’re not a Kronos Private Cloud user?
It’s tempting to ignore the Kronos breach, especially if you didn’t work for a company that used Kronos, right? No, cyberattacks can pose larger security risks that impact anyone. Here’s why data breaches matter:
- Vendor breaches create ripple effects. You may never use Kronos, but your next employer or local government could. A single flaw can expose your data or provide bad actors with resources to target critical infrastructure.
- Payroll and HR data are valuable. Cybercriminals will exploit any entry point to steal sensitive data. They will even steal partial data records, as these are still valuable when combined with other stolen information.
- Breach fallout extends to other individuals. Threat actors purchase stolen information that’s bundled or resold for phishing scams or to target new groups. The Discord data breach shows how platforms unrelated to payroll may become part of an expanding ecosystem of exposed information.
How to protect your data after a breach like Kronos
There’s no guaranteed method to stop all data breaches, but you can prepare for them by:
- Enabling multi-factor authentication settings. Many online services have multi-factor authentication (MFA) settings to manage your account. Use MFA to protect your email, financial accounts, and payroll portals linked to your identity.
- Protecting yourself from employment-related fraud. Use E-Verify’s Self-Lock to place a lock on your SSN. This will prevent bad actors from using your information for fraudulent wage reporting.
- Monitoring tax filings. If threat actors expose partial SSNs, they may attempt tax fraud. Set up an IRS online account and consider requesting an IRS Protection PIN to block fraudulent returns.
- Reviewing retirement and healthcare accounts. Many employer systems link to providers of 401(k), HSA, and FSA benefits. These accounts are attractive targets for cybercriminals, so check them for signs of unauthorized access.
How Onerep helps you stay private and protected
Even if you secure your online accounts, threat actors can still access exposed data, as data brokers and people-search platforms publish and sell it online. You can manually request removal from these sites, but the process can be time-consuming. Instead, you can automatically limit how much of your personal information is available for criminals to exploit.
Here’s how Onerep’s automated approach can help you stay protected:
- Thorough scans and removals – Onerep will scan 230+ data broker sites to track and delete your sensitive data until it’s removed. You can start with a free scan to see where your information is exposed.
- Continuous monitoring and cleanup – Your data often reappears on other platforms. Instead of a one-time removal, Onerep’s monthly scans remove listings as they reappear.
- Clear reports and updates – Onerep keeps you informed about your potential for data exposures. You can view the removal progress with informative updates and visual dashboards delivered to your inbox.
- A free trial with full access – Want to test Onerep first? Learn how our data removal platform put you back in control of your digital footprint.
FAQs about the Kronos hack
What is the problem with Kronos?
On December 11th, 2021, KPC was targeted by a successful ransomware attack that exposed client data. UKG took these services offline after the incident to address the issues.
Has Kronos been hacked?
Yes, threat actors responsible for the Kronos ransomware breach disrupted thousands of hospitals, municipalities, and many private organizations.
Was employee data stolen?
Yes, bad actors exposed names, addresses, employee IDs, and partial SSNs. However, UKG didn’t disclose how many were impacted.
What is the average ransomware payout?
Many factors influence the average ransomware payout, including the size and revenue of the organization and the ransomware actor type. According to an IBM report, the average ransomware payment rose to $2.73 million in 2024.
Is Kronos safe to use now?
Yes, UKG restored systems in early 2022 and invested $1.5 million in additional security measures.
Mikalai is a Chief Technical Officer at Onerep. With a degree in Computer Science, he headed the developer team that automated the previously manual process of removing personal information from data brokers, making Onerep the industry’s first fully automated tool to bulk-remove unauthorized profiles from the internet.