Kronos Still Dragging Itself Back From Ransomware Hell

UPDATE: Puma was one of the companies from which employees’ personal data was stolen. Customers including Tesla, PepsiCo and NYC transit workers are filing lawsuits over the “real pain in the rear end” of manual inputting, inaccurate wages & more.

Remember when Kronos, the workforce-management workhorse, got whacked by ransomware in December, right in time to gum up end-of-year HR busywork such as bonuses and vacation tracking?

Could take days to crawl back, Ultimate Kronos Group (UKG) said at the time. Or, then again, could take up to several weeks, it said in a subsequent update.

It turns out that dragging its Kronos Private Cloud (KPC) systems back has taken nearly two months. As of Jan. 22, it wasn’t yet done dragging them back, but aggrieved customers had started the process of dragging the company into court as scheduling and payroll was disrupted at thousands of employersincluding hospitals – many of which have been forced to log hours manually.

Infosec Insiders Newsletter

As NPR reported on Jan. 15, some 8 million people experienced “administrative chaos” following the attack, including tens of thousands of public transit workers in the New York City metro area, public service workers in Cleveland, employees of FedEx and Whole Foods, and “medical workers across the country who were already dealing with an omicron surge that has filled hospitals and exacerbated worker shortages.”

020722 18:31 UPDATE: Sportswear manufacturer Puma was one of two UKG customers whose employees’ personally identifying information (PII) – including their Social Security Numbers (SSNs) – was stolen by attackers. See below for more details.

020822 10:55 UPDATE: A UKG spokesperson reached out to Threatpost to clarify the that the September Puma breach, which  resulted in stolen source code, was unrelated to UKG’s December ransomware attack on  Kronos Private Cloud. UKG subsequently discovered that Puma was one of two customers who had employee PII compromised as a result of the ransomware attack. Puma was a Kronos Private Cloud customer, and the affected employees and their dependents are in the process of being notified, he said.

Furious and Filing Suits

As far as UKG’s gratitude for customers’ patience goes, it might be a little aspirational.

Customers were already seething over the company’s lack of communication as the weekend unwound following the Saturday, Dec. 11 discovery of the attack. They complained about poor communication, a lack of information about whether their data was still out there somewhere, that the company’s portal and support site had gone AWOL right in the thick of things, and that the “weeks” or “delays” to restore systems was insupportable.

Kronos customers’ complaints. Source: Kronos Community Forum.

The subsequent lawsuits include a class action filed by New York transit workers claiming that the Metropolitan Transportation Authority has “failed to pay certain employees any overtime wages since their payroll administrator was crippled by a December 2021 data breach.”

Workers at Tesla and PepsiCo have also brought separate lawsuits over the UKG payroll outage, claiming that they received inaccurate pay during the outage.

As well, at the end of December, West Virginia’s state auditor, J.B. McCuskey promised that “we’re going to hold Kronos accountable” for what he called the “real pain in the rear end” of having to manually input information for more than 37,000 state employees before they got their first paychecks of 2022.

020722 17:54 UPDATE: UKG didn’t respond to Threatpost’s inquiries regarding when it expects all of its systems to be fully restored. On Thursday evening, a company spokesperson pointed Threatpost to an FAQ that states that the company is working with Mandiant and West Monroe “to test and continually harden our environment.”

The company has identified “a relatively small volume of data that was exfiltrated” – data that included the personal details of two customers’  employees. Both affected customers have been notified, it said.

In September, The Record reported that one of those customers was Puma, the sportswear manufacturer. The attackers stole source code, according to The Record. As of late August, they were trying to extort the company into paying ransom for it, threatening to release the files on a leak site if the German company didn’t pay up.

020822 10:44 UPDATE: The two incidents – Puma’s September breach and the attack on UKG, which provides services to Puma – are unrelated, contrary to what Threatpost erroneously reported in an earlier update.

As BleepingComputer reported on Monday after having dug up breach notification letters filed with several attorney generals’ offices, the breach notification UKG filed with the Office of the Maine Attorney General indicated that personal information belonging to Puma employees and their dependents was involved in the breach.

Puma was one of two customers who had employee PII compromised as a result of that incident. Puma was a Kronos Private Cloud customer, and affected employees are in the process of being notified – hence the filing with the Maine AG’s office.

That same letter said that data belonging to a total of 6,632 individuals were affected in the UKG breach, including SSNs.

Customers No Longer Using Pen and Paper

UKG’s core services were restored as of Jan. 22. That leaves “certain supplementary customer applications” still to be restored. But at this point, customers are no longer  using pen and paper for payroll, employee scheduling and other critical functions.

Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles