Cybersecurity

One month since a ransomware attack, Kronos clients are still struggling to recover

More bad news? There’s currently little in place to stop ransomware attacks.
article cover

Francis Scialabba

· 6 min read

This winter, popular payroll, time, and attendance management platform Ultimate Kronos Group (Kronos) had devastating news for 2,000 clients that depend on its cloud-based solutions, Kronos Private Cloud (KPC): On December 11, the company discovered a ransomware attack and disclosed the attack to impacted clients on December 12. Kronos could not immediately restore cloud-based services and, in at least one case, couldn’t provide backups of client data. It said on December 13 that it could take weeks for a full system recovery.

In a December 13 email to impacted clients including Honda, GameStop, Whole Foods, the MTA, Tesla, MGM International, many hospital systems nationwide, and the city of Cleveland, Kronos stressed that clients should “evaluate alternative plans to process time and attendance data for payroll processing, to manage schedules, and to manage other operations important to their organization.”

But for many impacted companies, there was no plan B: The outage left many logging time by hand. Kronos offered interim guidance on December 24, including CSV templates for tracking time and workarounds for using its time clocks offline. In Kronos’s online support forum, customers have been incredulous. One commenter, “tacomageorge,” summed up the general frustration, writing, “it is extremely disappointing how this has been handled.”

Kronos spokesperson Erik Carlson said in an email to HR Brew that the company has been updating clients regularly. He declined an interview with HR Brew, but directed us to correspondence sent to clients since the breach was announced, and an FAQ document on instituting interim procedures. Between December 12 and the New Year, Kronos provided impacted clients with daily updates (yup, including on Christmas).

Carlson pointed HR Brew to a December 30 email that promised, “We are now working on restoration of customers in parallel, which will begin in phases during the week of January 3 and be complete by January 28.”

Despite Kronos’s efforts at damage control, John Riggi, the national advisor for cybersecurity and risk at the American Hospital Association, called the attack a “rolling crisis.” He acknowledged that Kronos is “the victim of a crime,” but said he’s been “disappointed with the availability of information.”

Anybody out there? When Kronos came crashing down, UKG promised support through its UKG Kronos Community. Some have felt like the support amounted to little more than lip service.

“I have seen communications from Kronos that just said, ‘Resort to your downtime procedures.’ That hadn’t really been worked out with Kronos. My understanding is that there was a lot of reliance on Kronos, and their resiliency and redundancy in procedures,” Riggi told HR Brew.

Riggi says many of the employees he represents live “paycheck to paycheck” and count on stable pay, particularly during the holidays.

According to Riggi, the majority of AHA employees have been paid throughout the outage due to—you guessed it— “HR folks working 24/7.” Unfortunately, he said, there’s no guarantee of accuracy.

“Go ahead and pay [employees],” Riggi said. “However, that [method] may not take into account shift differentials, holiday pay, overtime—which clearly they're all working overtime.”

The lack of access to usual payroll processes has reportedly resulted in severe discrepancies elsewhere in the country. On December 23, two hourly employees at Grady Memorial Hospital in Atlanta noticed their paychecks were a little light: One says they were paid 75 cents, and the other says they made a whopping 86 cents for her efforts, The Decaturish reported.

HR is challenging. HR news doesn’t have to be.

HR Brew keeps you effective in the fast-changing business environment.

In an effort to prevent errors like this, Baptist Health is paying “an average based on prior cycles, including standard hours and an average of historical overtime and differentials,” said  Cindy Hamilton, executive communications director. Once Kronos is back online, any pay discrepancies that need to be fixed will be “fully trued-up.”

Riggi noted that the problems are only going to get more hairy in the new year.

He worries that ongoing disruptions could lead to “delayed” W-2s for health care workers, causing a cascade of impacts that might include delayed tax filings, delayed returns, and delayed refunds, turning the hack into “an ongoing financial pain point for our health care workers.”

How big is this thing? In a time where ransomware attacks are on the rise, this hack and its wide-ranging impact still took HR by surprise.

“It’s not something we’ve seen before on this scale, on the HR side,” Sam Grinter, senior principal analyst at advisory firm Gartner, told SHRM.

HR Brew reached out to 18 companies impacted by the hack, all of which were non-responsive or tight-lipped about the impact on business processes. Of the companies that did respond, Honda’s Marcos Frommer acknowledged a “temporary disruption to our payroll reporting system,” and Eugene Resnick, a spokesperson for The MTA, reported “20,000 of the MTA’s 66,000 active employees” are being impacted by the breach.

Two weeks into the new year, HR Brew couldn’t find a single impacted company that would go on record as being partially or fully back online. According to Hamilton, Baptist Health in Florida, her hospital, is in the process of “testing and validation.” But they’ll fall short of Kronos’s January 28 target.

“We expect our Kronos service to be fully restored in February,” Hamilton told HR Brew.

As the outage stretches on, social media has filled with posts wondering when employee paychecks will be corrected. Many employees and HR professionals appear to be at their wits’ end.

“I work in a hospital in a rural part of the state. With our Covid surge affecting the community and all employees and Kronos being down I’ve been working 12-13 hour days,” one Reddit user vented on r/humanresources, “I. am. burnt. Out.”

Unfortunately, while employees may well recognize HR's attempts to fix the problems, that labor isn't good enough if they're not being paid.

Screengrabs of two tweets from workers who say they have not been paid correctly.

As recently as January 13, Reddit users claiming to be Whole Foods employees say they were notified that their direct deposits would be delayed due to payroll processing difficulties caused by the Kronos outage. (Whole Foods representatives did not immediately respond to a request for comment.)

One thing is for sure: Kronos may be the first large HR vendor to fall victim to a ransomware attack, but it’s unlikely to be the last. Ransomware attacks are on the rise, and, according to cybersecurity firm SonicWall, the first half of 2021 saw a 151% increase in attacks compared with the first half of 2020. Companies should prepare their plans B, C, and D now, so they aren’t processing payroll in a panic—Some organizations, including JD Supra, have thoughts on how to do do so, though federal guidance remains vague.—SV

Do you work in HR or have information about your HR department we should know? Email [email protected] or DM @SusannaVogel1 on Twitter. For confidential conversations, ask Susanna for her number on Signal.

HR is challenging. HR news doesn’t have to be.

HR Brew keeps you effective in the fast-changing business environment.