Kronos Still Dragging Itself Back From Ransomware Hell

UPDATE: Puma was one of the companies from which employees’ personal data was stolen. Customers including Tesla, PepsiCo and NYC transit workers are filing lawsuits over the “real pain in the rear end” of manual inputting, inaccurate wages & more.

Remember when Kronos, the workforce-management workhorse, got whacked by ransomware in December, right in time to gum up end-of-year HR busywork such as bonuses and vacation tracking?

Could take days to crawl back, Ultimate Kronos Group (UKG) said at the time. Or, then again, could take up to several weeks, it said in a subsequent update.

It turns out that dragging its Kronos Private Cloud (KPC) systems back has taken nearly two months. As of Jan. 22, it wasn’t yet done dragging them back, but aggrieved customers had started the process of dragging the company into court as scheduling and payroll was disrupted at thousands of employersincluding hospitals – many of which have been forced to log hours manually.

Infosec Insiders Newsletter

As NPR reported on Jan. 15, some 8 million people experienced “administrative chaos” following the attack, including tens of thousands of public transit workers in the New York City metro area, public service workers in Cleveland, employees of FedEx and Whole Foods, and “medical workers across the country who were already dealing with an omicron surge that has filled hospitals and exacerbated worker shortages.”

020722 18:31 UPDATE: Sportswear manufacturer Puma was one of two UKG customers whose employees’ personally identifying information (PII) – including their Social Security Numbers (SSNs) – was stolen by attackers. See below for more details.

020822 10:55 UPDATE: A UKG spokesperson reached out to Threatpost to clarify the that the September Puma breach, which  resulted in stolen source code, was unrelated to UKG’s December ransomware attack on  Kronos Private Cloud. UKG subsequently discovered that Puma was one of two customers who had employee PII compromised as a result of the ransomware attack. Puma was a Kronos Private Cloud customer, and the affected employees and their dependents are in the process of being notified, he said.

Furious and Filing Suits

As far as UKG’s gratitude for customers’ patience goes, it might be a little aspirational.

Customers were already seething over the company’s lack of communication as the weekend unwound following the Saturday, Dec. 11 discovery of the attack. They complained about poor communication, a lack of information about whether their data was still out there somewhere, that the company’s portal and support site had gone AWOL right in the thick of things, and that the “weeks” or “delays” to restore systems was insupportable.

Kronos customers’ complaints. Source: Kronos Community Forum.

The subsequent lawsuits include a class action filed by New York transit workers claiming that the Metropolitan Transportation Authority has “failed to pay certain employees any overtime wages since their payroll administrator was crippled by a December 2021 data breach.”

Workers at Tesla and PepsiCo have also brought separate lawsuits over the UKG payroll outage, claiming that they received inaccurate pay during the outage.

As well, at the end of December, West Virginia’s state auditor, J.B. McCuskey promised that “we’re going to hold Kronos accountable” for what he called the “real pain in the rear end” of having to manually input information for more than 37,000 state employees before they got their first paychecks of 2022.

020722 17:54 UPDATE: UKG didn’t respond to Threatpost’s inquiries regarding when it expects all of its systems to be fully restored. On Thursday evening, a company spokesperson pointed Threatpost to an FAQ that states that the company is working with Mandiant and West Monroe “to test and continually harden our environment.”

The company has identified “a relatively small volume of data that was exfiltrated” – data that included the personal details of two customers’  employees. Both affected customers have been notified, it said.

In September, The Record reported that one of those customers was Puma, the sportswear manufacturer. The attackers stole source code, according to The Record. As of late August, they were trying to extort the company into paying ransom for it, threatening to release the files on a leak site if the German company didn’t pay up.

020822 10:44 UPDATE: The two incidents – Puma’s September breach and the attack on UKG, which provides services to Puma – are unrelated, contrary to what Threatpost erroneously reported in an earlier update.

As BleepingComputer reported on Monday after having dug up breach notification letters filed with several attorney generals’ offices, the breach notification UKG filed with the Office of the Maine Attorney General indicated that personal information belonging to Puma employees and their dependents was involved in the breach.

Puma was one of two customers who had employee PII compromised as a result of that incident. Puma was a Kronos Private Cloud customer, and affected employees are in the process of being notified – hence the filing with the Maine AG’s office.

That same letter said that data belonging to a total of 6,632 individuals were affected in the UKG breach, including SSNs.

Customers No Longer Using Pen and Paper

UKG’s core services were restored as of Jan. 22. That leaves “certain supplementary customer applications” still to be restored. But at this point, customers are no longer  using pen and paper for payroll, employee scheduling and other critical functions.

Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles


  • Me on

    I work at Kronos, now UKG. It’s not been fun for us either. Not happy about this hit to the company reputation, and really feel for those affected. A real difficult lesson for everyone. And the nature of these incidents means we’ll never know just how it happened.
  • Joe on

    I work for PepsiCo Tropicana Products in Bradenton Florida we have not been paid for any overtime since the outage on December 11. The company has been working with the employees as much as one could expect on payroll issues but it is still not enough. A lot of the employees work 60 + hours a week what UKG is missing is the fact people rely on their over time to pay their mortgage, car payments, Insurance, and child support. These are things that can hurt a persons credit rating and much more trying to did out from getting behind on these things. Another thing is child support the courts do not care if can not pay your child support because of UKG's outage of payroll systems IE: Judge I am sorry I can not pay my child support due to the UKG payroll outage, Judge's response I am sorry Mr. Smith this has impacted you but you do not have a get out of jail free card so pay or off to jail you go. Same for credit reporting we are sorry you credit score dropped because you was late 2 months with your payment. Or your auto loan goes in default and here comes the wrecker to haul it away. I bet CEO's pay was not interrupted but for us working people this has been a total nightmare.
    • Lisa Vaas on

      Joe, that sounds horrific. Hopefully things are back on track now, given what UKG says about all essential systems being back online?
  • Shawn Welden on

    It Feb 19th and my place of employment has not been put back on track we are still manually writing our hours down. The system is still not back up
  • Alexander Raschiatore on

    Yeah I was full time and went to casual last September 2021. I had 10 hours frozen holiday PTO and 24 hours regular PTO. Logged back in after the fox. My 10 hours holiday is still there but my 24 hours of reg PTO vanished.

Leave A Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.