A ransomware attack on a major HR technology provider is creating chaos around attendance, scheduling and payroll for thousands of employers with no certain end to the problem in sight.
Ultimate Kronos Group (UKG) revealed that one of its cloud-based time and attendance systems—Kronos Private Cloud—was exploited by hackers and that the outage could last several weeks. That's especially distressing news due to the increased use of variable staffing and vacation scheduling around the holidays and the calculation of end-of-year payroll concerns such as bonuses.
Kronos Private Cloud includes the products UKG Workforce Central, UKG TeleStaff, Healthcare Extensions, and Banking Scheduling Solutions.
"It could not be worse timing, as many companies employing hourly workers are busier during the holiday season, and having to track more overtime, The attack not only comes during the crucial end of the year for scheduling and staffing but also right when UKG's annual customer conference was getting underway."
- Sam Grinter, senior principal analyst at advisory firm Gartner, based in London.
The attack, discovered Dec. 11, has affected 2,000 organizations that use the software, including enterprise companies, hospitals, government agencies, universities and emergency services like fire and police departments.
UKG said all products linked to the Kronos Private Cloud are unavailable, and it could take up to several weeks before service is restored. "We are working with leading cyber security experts to assess and resolve the situation, and have notified the authorities, The investigation remains ongoing, as we work to determine the nature and scope of the incident."
- UKG executive vice president Bob Hughes said in a statement.
There reportedly is no impact to the affected products if they were installed on-premises (not pulled in from servers in the cloud), nor other UKG products such as UKG Pro, UKG Ready and UKG Dimensions, which are housed in separate environments and not in the Kronos Private Cloud.
Grinter explained that ADP could be another vendor to watch, as it resells UKG Workforce Central as an ADP product. In addition, most major payroll providers have integrations with UKG (due to the 2020 merger with time and attendance pioneer Kronos).
UKG has been providing daily updates on the emergency, including informing clients that backup systems were unavailable due to the attack; the company had not discovered that the hackers stole any data; and that "In most instances, UKG timeclocks will record and store employee punches offline until connectivity can be restored… However, UKG strongly recommends customers consider manual time collection efforts to ensure accurate collection of employee time in the interim."
"Some employers may require workers to do that or ask them to write down their own hours, If not, it's always a good idea to still to go ahead and do that for yourself so that you know what you've worked and how many overtime hours, things of that nature, then that way you can compare it to what the employer has and make sure that you're paid appropriately."
- Amber Clayton, director of the Knowledge Center at the Society for Human Resource Management
He said another option is to just pay everyone the same as the previous pay cycle and try to figure out a way to straighten it out later. The problems with that approach include not being able to factor in those who worked more hours or fewer hours, not being able to pay new hires and sending out checks to people who have left the organization, Grinter said.
As for alleviating the situation by paying the ransom, UKG's actions so far indicate they are not going to take that route, but that could change, Grinter said.
Allan Liska, an intelligence analyst at Somerville, Mass.-based cybersecurity firm Recorded Future, said that even if the company decides to pay the ransom, it can take days to negotiate a settlement and put together the funds. And malware could be left behind for future ransom demands or other exploits. The only safe course is a complete rebuild of the server network, he said.
Protecting Employee Data
UKG has not determined whether the incident has impacted customer data. But the extent of employee information stored in Kronos Private Cloud—and therefore potentially exposed— varies by employer. The city of Cleveland for example, warned its workforce that names, addresses and the last four digits of Social Security numbers could be at risk.
"UKG has been notifying affected customers and those customers are obviously working with UKG to ascertain what data was included, and whether that data was exfiltrated prior to the deployment of the ransomware, Companies can proactively determine what may have been compromised by doing their own analyses, Companies will have to determine what data was compromised, what their legal obligations are and what their contractual agreements are with UKG for that process."
- Linn Freedman, a partner in the Providence, R.I., office of law firm Robinson & Cole.
Is Log4j the Culprit?
It is being theorized that the UKG ransomware attack may be related to the recently disclosed Log4j vulnerability. The bug, also known as Log4Shell, was discovered in a commonly used bit of Java software on Dec. 9.
Officials at the U.S. Cybersecurity and Infrastructure Security Agency have since warned that state-sponsored hackers from China, Iran, North Korea have started testing and exploiting the vulnerability, which allows remote attackers to take over a device. The agency said that hundreds of millions of enterprise and consumer devices are at risk until the bug is patched.
Tech companies have been scrambling to address the threat, but organizations and consumers should immediately patch any applications or systems affected by it if possible, according to cybersecurity experts.
UKG maintains that there is no connection to log4j. "We are investigating whether or not there is any relationship between the security incident and the Log4j vulnerability," UKG said.
Preparing for Ransomware Attacks
Freedman said that the ransomware attacks we're seeing are just the beginning of a disturbing trend. "There has been an increase in the number of cyberattacks against companies that have access to many other companies' data," she said, citing the data breach at file-sharing firm Accellion in December 2020 and numerous attacks against managed IT service providers this year. "These criminals want to inflict as much pain as possible," she said.
She said that there's a long list of things companies can and should do to mitigate the effects of a ransomware attack but know that these events cannot be completely prevented because of zero-day exploits which hackers can take advantage of before they are even known by the affected technology providers.
Those action items include the development of contingent and backup plans, disaster recovery plans, remote desktop protocol monitoring, insider threat intelligence, multi-factor authentication on all applications and strong spam filters. "Even all of the most effective security measures, however, can never completely prevent a cyberattack," she said.