The Kronos UKG ransomware attack of December 2021 exposed the personal and payroll information of an estimated 40 million employees across dozens of major corporations and government agencies, and a $6 million settlement was approved in November 2023 to compensate affected workers. This data breach stands as one of the largest incidents targeting payroll and timekeeping systems in recent history, impacting household names like Tesla, PepsiCo, FedEx, Whole Foods, Gap, Samsung, and MGM Resorts, along with critical infrastructure including the New York Metropolitan Transportation Authority and multiple city government offices.
If you worked for any of these employers on December 11, 2021—when suspicious activity was first detected in Kronos’s Private Cloud system—you may be eligible for compensation ranging from $1,000 to $7,500 depending on the losses you experienced. The settlement agreement included a $5.5 million base fund plus up to $500,000 in supplemental compensation, with UKG also committing to spend approximately $1.5 million on cybersecurity improvements. The class action was finally approved by a federal court on November 21, 2023, after months of litigation and negotiation, opening the door for affected employees to file claims for unreimbursed expenses related to the breach, including communication costs, bank fees, credit monitoring charges, and documented identity theft losses.
Table of Contents
- What Was the Kronos Ransomware Attack and How Many People Were Affected?
- What Personal Information Was Exposed in the Kronos Data Breach?
- Which Companies and Employers Were Impacted by the Kronos Breach?
- How Much Money Can You Receive From the Kronos Settlement?
- What Are the Requirements to File a Claim in the Kronos Settlement?
- What Happened With the Cargill Settlement From the Same Breach?
- Has UKG Improved Its Security After the Kronos Breach?
- Conclusion
What Was the Kronos Ransomware Attack and How Many People Were Affected?
On December 11, 2021, Kronos, a leading provider of cloud-based workforce management and human capital management (HCM) solutions, discovered suspicious activity in its Private Cloud environment. The attack was carried out by the LockBit ransomware gang, who encrypted Kronos’s systems and demanded payment in exchange for unlocking them and deleting stolen data. Although Kronos initially downplayed the scope of the incident, claiming that a small fraction of its customers were affected, subsequent investigations and legal filings revealed that the breach exposed sensitive information for an estimated 40 million employees across the United States and beyond. The timing of the discovery made the breach particularly damaging: it occurred during the winter holiday period when many payroll and HR departments were operating with reduced staffing.
This meant that thousands of companies did not discover the full extent of the attack or begin notifying employees for weeks or even months afterward. The delay in detection and notification only compounded the harm, as some individuals did not learn their personal and financial information had been compromised until early 2022, giving potential fraudsters an extended window to misuse the data. Unlike typical data breaches that target financial institutions or retailers, the Kronos attack specifically targeted workforce management systems, meaning that attackers gained access to real-time payroll data, Social Security numbers, names, addresses, phone numbers, email addresses, wage information, and sometimes tax identification documents. The scope of the breach—affecting an estimated 40 million individuals—makes it comparable to some of the largest healthcare data breaches in history, though with a much narrower focus on employment and payroll data rather than medical information.
What Personal Information Was Exposed in the Kronos Data Breach?
The data exposed in the Kronos Private Cloud breach was extensive and sensitive, primarily consisting of payroll and employment-related personal information. According to lawsuits and settlement documents, the compromised data included employees’ names, home addresses, phone numbers, email addresses, Social Security numbers, dates of birth, wage and salary information, bank account details, and tax identification documents. In some cases, depending on what employers had stored in their Kronos systems, the breach also exposed employment history, job titles, department assignments, and other workplace information. What makes this particular breach especially concerning is that payroll data is more directly connected to financial identity theft than many other types of personal information.
Unlike a credit card number that can be cancelled and replaced, a Social Security number and employment history are permanent identifiers that fraudsters can use to open new credit accounts, file fraudulent tax returns, or commit other forms of identity theft that can take years to unravel. For example, if someone used stolen payroll data to claim fraudulent tax refunds or unemployment benefits under an employee’s name, the victim could face tax audits and complex legal disputes to prove they weren’t responsible for the fraudulent filings. One significant limitation of the settlement is that it does not provide free credit monitoring or identity theft insurance to all class members—instead, it only compensates individuals for documented losses they incurred as a result of the breach. This means that if you were fortunate enough to not experience any fraud or financial harm from the Kronos breach, you would not be eligible to recover anything even though your personal information was exposed. The settlement’s structure assumes that exposure to data equals harm, but in practice, many individuals whose information was compromised never experienced any actual fraudulent activity or financial loss.
Which Companies and Employers Were Impacted by the Kronos Breach?
The Kronos ransomware attack affected a strikingly diverse roster of major employers across industries and geographies. Among the most recognizable names are Tesla, which had to deal with significant payroll disruptions during the attack; PepsiCo, one of the world’s largest food and beverage companies; FedEx, the global logistics giant; and Whole Foods, the Amazon-owned supermarket chain. Other major corporations impacted include Gap Inc. (affecting hundreds of thousands of retail workers), Samsung, and MGM Resorts, which operates massive casino and hospitality properties across the United States. Beyond the private sector, the breach also exposed the personal information of public employees and transit workers.
The New York Metropolitan Transportation Authority (MTA) had approximately 20,000 of its employees’ data compromised, along with multiple city and county government offices, including the City of Cleveland and the City of Springfield, Massachusetts. This government exposure was particularly notable because it affected essential service workers—transit employees who depend on timely, accurate payroll processing to maintain the transit systems that millions of people rely on daily. The diversity of affected employers underscores how deeply Kronos is embedded in U.S. business infrastructure. Kronos and its parent company UKG serve employers of all sizes, from Fortune 500 corporations to mid-market companies and government agencies. For many of these large employers, Kronos was the backbone of their payroll and timekeeping operations, meaning that when the system was compromised, it created cascading operational and financial problems that went well beyond the data breach itself—many employers struggled to process paychecks, calculate overtime, and manage leave balances for weeks during the incident.
How Much Money Can You Receive From the Kronos Settlement?
The $6 million Kronos settlement (consisting of a $5.5 million base fund plus up to $500,000 in supplemental awards) is structured in a tiered system designed to compensate different types of losses. For ordinary losses—which include unreimbursed expenses directly caused by the breach—eligible class members can recover up to $1,000 per person. These ordinary losses specifically cover tangible, out-of-pocket expenses such as charges for credit monitoring services, credit freeze or unfreeze fees with credit bureaus, phone calls made to resolve fraud or account issues, postal costs for sending letters to credit card companies or banks, bank fees assessed due to fraudulent charges, and up to four hours of lost time at a rate of $25 per hour. For those who experienced more serious consequences from the breach, the settlement provides extraordinary loss compensation. Claimants who can document that they actually fell victim to identity theft, fraudulent credit card charges, fraudulent loan applications, false tax filings, or other specific forms of fraud related to the breach can claim up to $7,500 in extraordinary losses.
However, there is a critical limitation: you must provide documentation of the fraud, such as police reports, credit bureau dispute letters, communications with affected financial institutions, or IRS correspondence regarding fraudulent tax filings. Simply having your data exposed is not sufficient; you must prove that actual identity theft or fraud occurred and that you suffered financial harm as a result. The tradeoff between the two compensation tiers means that the settlement benefits those who can document fraud far more generously than those who experienced only inconvenience or worry. For instance, if you paid $200 for credit monitoring and made a few phone calls to verify your credit, you might qualify for $300-$400 in ordinary losses. But if someone else used your stolen SSN to open three credit card accounts and file false tax returns—requiring you to file identity theft police reports and dispute the fraudulent accounts—you could recover $7,500 under the extraordinary loss provision. This incentive structure means that keeping documentation of any problems that occur after the breach date (December 11, 2021) is essential to maximizing your recovery from the settlement.
What Are the Requirements to File a Claim in the Kronos Settlement?
To be eligible for the Kronos settlement, you must meet several basic requirements. First, you must have been employed by a company or organization that used Kronos Private Cloud services and had your personal information exposed in the December 2021 breach. This includes employees of any of the major companies mentioned above, as well as employees of smaller and mid-sized businesses and government agencies that used Kronos systems. Simply working for a major corporation is not automatic proof of eligibility—you need to verify that your employer actually used Kronos Private Cloud specifically (as opposed to other Kronos products or competitors’ systems). Second, you must have suffered harm directly or indirectly attributable to the breach. For ordinary losses, you must have incurred genuine, documented out-of-pocket expenses.
For extraordinary losses, you must prove that you experienced actual identity theft or fraud and can provide supporting documentation. One important warning: the settlement claim period is limited. While the exact deadline depends on court orders, settlement documents typically establish a final claim deadline, and any claims submitted after that date will be rejected regardless of eligibility. Check the official settlement website at kronosprivatecloudsettlement.com for the current claim deadline and submission instructions. A significant limitation is that the settlement requires proof of losses, which can be burdensome. Many people affected by the breach experienced emotional distress, anxiety about potential future fraud, and inconvenience, but these intangible harms are not compensated by the settlement. Additionally, if you already received compensation from your employer for the breach—for example, if your company paid for credit monitoring as a courtesy—you may not be able to claim those costs again from the settlement (though this varies based on the specific settlement language and the claims administrator’s interpretation).
What Happened With the Cargill Settlement From the Same Breach?
Cargill, one of the world’s largest privately held companies and a major food production corporation, was among the significant employers affected by the Kronos breach. Rather than waiting for the broader class action settlement, Cargill negotiated its own separate settlement for the approximately 3,600 employees whose data was exposed in its Kronos systems. In 2024, Cargill’s settlement of $2.4 million was approved, allowing affected Cargill employees to file claims for their losses from the breach.
The Cargill settlement demonstrates how large employers sometimes pursue independent legal remedies rather than relying solely on the class action against UKG. This can sometimes result in more generous per-person compensation for employees, though the Cargill settlement was negotiated between Cargill and its insurers rather than being a direct settlement with UKG. If you were a Cargill employee affected by the Kronos breach, you may be eligible to claim under either the broader class action settlement or Cargill’s separate settlement, but you should carefully review which option provides better compensation for your specific circumstances.
Has UKG Improved Its Security After the Kronos Breach?
As part of the settlement agreement, UKG (the parent company of Kronos that formed in 2022) committed to spending approximately $1.5 million on cybersecurity improvements to prevent similar breaches in the future. While $1.5 million is a substantial investment, it represents a relatively small portion of UKG’s annual revenue, raising questions about whether it reflects a meaningful commitment to security or merely a compliance obligation. The specific security measures required by the settlement include enhanced network monitoring, improved access controls, regular security assessments, and better incident response procedures.
Since the 2021 breach, UKG has made various public statements about improving security and implementing new safeguards. However, the company has faced criticism for not immediately disclosing the full scope of the breach and for attempting to downplay its impact. The fact that the company was unaware of the attack for an unspecified period of time and that the ransomware gang was able to access such sensitive payroll data raises ongoing concerns about whether UKG’s security infrastructure is truly adequate for protecting the employment and financial information of millions of workers. Going forward, customers of Kronos and UKG services should carefully evaluate whether the company’s security posture meets their own compliance and risk management requirements.
Conclusion
The Kronos UKG ransomware breach of 2021 exposed the personal and payroll information of an estimated 40 million employees, making it one of the largest workforce management system breaches in recent history. The $6 million settlement approved in November 2023 provides compensation to affected employees for ordinary losses (up to $1,000) and extraordinary losses like documented identity theft (up to $7,500), with the settlement process available to any employee whose data was exposed by employers using Kronos Private Cloud systems. However, the settlement requires documentation of actual losses and has a limited claim period, so affected individuals should move quickly to gather evidence of any fraud or out-of-pocket expenses and submit claims before the deadline.
If you believe you were affected by the Kronos breach, visit the official settlement website at kronosprivatecloudsettlement.com to verify your eligibility, review the claim requirements, and learn the current deadline for submitting claims. Keep any documentation you have of fraud, identity theft, or expenses related to the breach—police reports, credit bureau letters, bank statements showing fraudulent charges, communications with creditors, and receipts for security services are all valuable evidence for maximizing your claim. The settlement represents compensation for harm already done, but more importantly, it serves as a reminder of the critical importance of strong cybersecurity practices among companies trusted with millions of workers’ most sensitive personal and financial information.