This article is more than 1 year old
Timekeeping biz Kronos hit by ransomware and warns customers to engage biz continuity plans
Big implications for millions of staffers' Christmas pay packets
Updated Kronos Private Cloud has been hit by a ransomware attack. The company, also known as Ultimate Kronos Group (UKG), provides timekeeping services to companies employing millions of people across the world.
Emails sent by Kronos to its corporate customers, seen by The Register, confirm the firm has pulled its private cloud services offline following a ransomware attack. It is advising customers to deploy "alternative business continuity protocols" – a move with potential implications for Britons' Christmas pay packets.
Kronos' messages to corporate customers were identical in wording to this post on Kronos' customer support forums, signed by exec veep Bob Hughes. It said:
We are reaching out to inform you of a cyber security incident that has disrupted the Kronos Private Cloud.
As we previously communicated, late on Saturday, December 11, 2021, we became aware of unusual activity impacting UKG solutions using Kronos Private Cloud. We took immediate action to investigate and mitigate the issue, and have determined that this is a ransomware incident affecting the Kronos Private Cloud — the portion of our business where UKG Workforce Central, UKG TeleStaff, Healthcare Extensions, and Banking Scheduling Solutions are deployed.
Kronos' timekeeping products are used by companies in the UK including supermarket chain Sainsburys, Boots the Chemist and Jaguar Land Rover, and large outfits in the US including Clemson Uni in South Carolina, USA; Winthrop University Hospital in Long Island, New York; and US state and local government customers such as Santa Clara County.
"Issues companies will have is employees don't know their schedule (it's in Kronos) and then when they clock in and out, that clock won't go anywhere," a Register reader, who works for an affected firm, told us.
Kronos' timekeeping service interfaces with companies' payrolls. In effect, it tells the payroll department how much to pay each staff member. The firm also provides rostering and shift management services.
"At this time, we are not aware of an impact to UKG Pro, UKG Ready, UKG Dimensions, or any other UKG products or solutions, which are housed in separate environments and not in the Kronos Private Cloud," concluded its statement.
The message from Kronos said restoring full service would take "several weeks."
We have asked the company for comment and will update this article if it responds.
A Sainsbury’s spokesperson said: “We’re in close contact with Kronos while they investigate a systems issue. In the meantime we have contingencies in place to make sure our colleagues continue to receive their pay.”
It is not yet known whether the Log4j remote code execution vulnerability was the attackers' way in. Neither is the attackers' identity publicly known at the time of writing.
- Ransomwared payroll provider leaks data on 38,000 Australian government workers
- Irish Health Service ransomware attack happened after one staffer opened malware-ridden email
- Log4j RCE: Emergency patch issued to plug critical auth-free code execution hole in widely used logging utility
- UK umbrella payroll firm Giant Pay confirms it was hit by 'sophisticated' cyber-attack
We understand some of Kronos' product and services can be deployed on-premises. While there is a possibility that ransomware criminals could compromise those if the vuln they used exists in Kronos' software, rather than a network misconfiguration, in the short term, those on-prem deployments naturally won't be affected by the main Kronos shutdown.
Three years ago Kronos' US arm was sued by a nursing home employee who said its fingerprint-scanning tech violated a US state's privacy laws. ®
Updated at 09.00UTC on 14 December 2021 to add:
Kronos sent us a statement:
"UKG recently became aware of a ransomware incident that has disrupted the Kronos Private Cloud, which houses solutions used by a limited number of our customers. We took immediate action to investigate and mitigate the issue, have alerted our affected customers, and informed the authorities, and are working with leading cybersecurity experts. We recognize the seriousness of the issue and have mobilized all available resources to support our customers and are working diligently to restore the affected services."