Kronos Private Cloud was hit by a ransomware attack on December 11.1 The event resulted in an outage to certain of the HR services firm’s application modules2, including: UKG Workforce Central, UKG TeleStaff, Healthcare Extensions, and Banking Scheduling Solutions services.3 Although not confirmed, sources suggest that the ransomware attack may have been the result of a targeted phishing attack or a zero-day vulnerability, such as the log4j vulnerability.4
Late on Saturday, December 11, 2021, Kronos became aware of unusual activity that was impacting its Kronos Private Cloud, a secure storage and server facility hosted at a third-party data center. An investigation uncovered that the unusual activity was the result of a ransomware incident.
The Kronos Private Cloud, which hosts some of the more heavily utilized Kronos application modules for time management, payroll processing and other HR-related activities, is secured using firewalls, multi-factor authentication and encrypted transmission to prevent unauthorized access to these applications. Despite these protections, the attackers were able to breach the systems, and likely encrypted servers as part of the attack.
The immediate impact was that the Kronos Private Cloud applications were rendered unavailable.5 The company communicated that it might take up to several weeks to restore system availability and encouraged clients to invoke alternative business continuity protocols related to the impacted applications. They also recommended reaching out to their UKG Customer Support Team to provide guidance and input on those protocols.
Payroll, time-keeping and other HR related activities represent an essential support process for many companies. The reliance on these applications is even greater during year-end activities, as companies are already dealing with a more limited workforce and scrambling to be made aware of who will be working, who has called out sick, and who is on vacation. Many counties and municipalities across the U.S. and the world, dependent on the software, are currently operating without information, crippling public safety operations. It is also important to note that the Fair Labor Standards Act (FSLA) has certain record keeping requirements that must be adhered to for non-exempt workers. Further, most states have their own laws requiring employers to provide access to pay stubs, which will usually include the hours worked by an employee. It is therefore possible that due to the Kronos incident, certain organizations will fall out of compliance with the FSLA and state laws, resulting in costs and penalties, which can vary from state to state.
Customers may be forced to drive payroll with spreadsheets, paper, and pencil to generate payroll checks and monitor timekeeping.6 The timing of this attack is not uncommon, as ransomware gangs routinely plan attacks for periods where organizations are short-staffed for the holidays or when they are extremely busy.6 They do this with the hope that organizations are slow to discover the infiltration and respond, and more likely to pay ransomware demands because of the increased pressure to service customers.
The event is causing customers to disable connections to the UKG/Kronos Cloud and treat it as an untrusted entity until there is a more detailed response to the event. Customers are also trying to assess whether there are backups, and if they can be restored.
Kronos Private Cloud is in the process of remediating the incident and alerting its impacted customers. Because of the nature and type of services Kronos provides to its customers, there are issues that HR, IT and other groups inside organizations that are customers of the impacted services should be addressing.
First, relative to communications, clients need to think through how they should respond to inquiries from employees and contractors7 regarding the impact of the incident and how it will affect their personal information, their schedules, and their pay.
Second, regarding compliance, clients should consider implementing their business continuity plans depending on what services they rely on Kronos for.8 If a client utilizes the Kronos time management system, they should implement measures to ensure that their employees’ time is properly captured and paid, especially if they have a legal obligation to do so.7
Third, regarding cybersecurity, clients should consider that this is not just a Kronos problem. Breach notification laws will likely pertain. Clients should contact their legal counsel for guidance. If the client has a cyber insurance policy, counsel should be retained through their cyber insurance carrier with assistance from their broker.
Further, impacted Kronos clients should review their Kronos Service Agreement, evaluate the services received from Kronos and ensure that they are fully aware of the nature and extent of the information that Kronos maintains on the company’s behalf.
If the Kronos incident leads to the loss of data or the compromise of personally identifiable information, protected health information, or confidential business information or the Kronos software falls within the policy’s computer system or network definition, there likely would be data incident response expense coverage available. Further, data recovery coverage could also be triggered. What is less clear at this stage is whether dependent business interruption coverage would be triggered by this incident. The question will be whether the client has sustained income loss as a result of the software failure. The inability to track employee time may not be viewed as something that directly results in a loss of business income. While there could be extra expenses incurred by the insured to use alternative timecard machines, those expenses are only covered if they help to reduce what would otherwise be a loss of business income.
Clients are advised to work with their broker to review their cyber insurance policy and discuss potential coverage options, including but not limited to presenting foreseeable and immediate impacts to business income in their claim submissions.
As a global leader in human capital solutions, risk advisory and broking services, we are well prepared to assess your cyber vulnerabilities, protect you through best-in-class solutions and radically improve your ability to successfully recover from future attacks.
1 https://community.kronos.com/s/feed/0D54M00004wJKHiSAO?language=en_US
6 https://threatpost.com/kronos-ransomware-outage-payroll-chaos/176984/
7 https://www.jdsupra.com/legalnews/responding-to-the-kronos-cyber-attack-5535732/
Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed subsidiaries of Willis North America Inc., including Willis Towers Watson Northeast Inc. (in the United States) and Willis Canada, Inc. (in Canada).
