Cyber Incident Victim: UKG
Date:
Dec 2021
Location:
United States of America
Summary
A ransomware attack disrupted UKG's Kronos Private Cloud infrastructure, impacting workforce management and human resources solutions including timekeeping, payroll, and scheduling services. The incident caused extended downtime, requiring weeks for restoration, while unaffected systems included UKG Pro, Ready, and Dimensions. The company initiated immediate mitigation efforts but advised affected customers to implement alternative business continuity measures such as manual record-keeping via spreadsheets or paper-based processes. The outage occurred during a critical period for organizations managing holiday staffing and year-end financial operations, exacerbating operational challenges for entities reliant on the compromised cloud environment.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On December 11, 2021, workforce management and HR solutions provider UKG (formed through the 2020 merger of Kronos and Ultimate Software) detected unusual activity impacting its Kronos Private Cloud (KPC) infrastructure. The company initiated an immediate investigation and confirmed the incident as a ransomware attack affecting cloud-hosted services including UKG Workforce Central, UKG TeleStaff, Healthcare Extensions, and Banking Scheduling Solutions. UKG publicly disclosed the incident on December 13 through a statement from Executive Vice President Bob Hughes, confirming the attack targeted KPC—a third-party hosted environment marketed as secure through firewalls, multi-factor authentication, encrypted transmissions, and compliance with SOC 1, SOC 2, and SOC 3 auditing standards. Systems outside the KPC environment, including UKG Pro, UKG Ready, and UKG Dimensions, remained operational throughout the incident. The company advised affected customers to implement alternative business continuity measures while restoration efforts commenced.
The ransomware attack caused extended service disruptions expected to last several weeks, significantly impacting organizations reliant on KPC for payroll processing, timekeeping, and workforce scheduling during peak holiday season operations. Affected entities spanned multiple sectors including automotive manufacturing (Tesla), higher education (Temple University), financial services (Community Bank), and public transit (San Francisco Municipal Transit Authority). With systems inaccessible, customers reverted to manual processes such as spreadsheet tracking and paper-based timekeeping to maintain payroll operations. UKG provided no public timeline for full restoration of KPC services beyond the multi-week estimate, nor did it disclose technical details regarding the ransomware variant or initial attack vector. The incident occurred during a critical period for year-end payroll processing, employee bonus distributions, and workforce scheduling amid holiday staffing shortages.