Cybersecurity and HR information systems analysts who spoke to HR Dive did not mince words when describing the magnitude of December's ransomware attack against workforce management platform Kronos.
"This was unparalleled, unmatched," said Richard Pemberton, senior HRIS analyst at MHI Shared Services Americas and former Kronos employee. "This is the equivalent of a nuke, basically."
"It was certainly the most notable and recent example of [ransomware] causing some challenges for the HR team," said Allie Mellen, security infrastructure and operations analyst at Forrester, who added that the incident likely will not be the last of its kind. "Honestly, I think it's only going to become more prevalent as time goes on, unfortunately."
The incident affected customers using UKG's Kronos Private Cloud product. The company said the first phase of its recovery process was completed January 22, restoring access to the core functionality of Private Cloud. Additional restoration of applications that some customers use as part of their UKG solutions is ongoing.
Of the six employers that responded to HR Dive requests for comment, most said they plan to continue their relationship with the company moving forward. But the fallout may pan out in a variety of other ways in the coming months and years.
The companies keeping Kronos
Three of those HR Dive spoke with represented health providers. Dan Leveton, media relations manager for University of Florida Health Jacksonville, said in an email that the organization's Kronos system was down "for about three pay periods but is back up and running fine." Though UF Health used manual timesheets during that time, employees continued to clock in and out as usual, and this information was stored locally in the organization's time clocks. The outage "only affected some overtime, etc.," Leveton said.
Penn Highlands Healthcare, a regional system in northwestern Pennsylvania, praised Kronos' response. "Yes, Penn Highlands Healthcare still uses the Kronos timekeeping system," Heather B. Schneider, chief financial officer, said in an email. "The Kronos parent company, [UKG], handled a very difficult circumstance with class and urgency."
And in a previously reported interview, Sergio Melgar, chief financial officer at UMass Memorial Health in Massachusetts, said the health system plans to continue using Kronos while implementing a new backup process to handle future incidents.
Meanwhile, Massachusetts-based grocery store chain Stop & Shop also implemented an "alternative process" for pay and scheduling when its Kronos time entry system went down, said Caroline Medeiros, external communications manager; "Making sure our associates are paid on time and accurately continues to be a top priority. Yes, we continue to use Kronos."
Keolis Commuter Services, a passenger transportation services firm that operates and maintains Massachusetts Bay Transportation Authority's commuter rail service, "expects that companies like Kronos will have effective business continuity plans in place, just as we do, in the event of any disruptions," Stephan Oehler, vice president of finance, strategy and transformation, said in an email.
"While the nature of this situation was such that it required considerable time, energy and resources to manage in order to mitigate negative impacts to our employees, Keolis continuously strives to enhance and improve our own systems to minimize vulnerability for our systems and protocols, even when we rely on external vendors to provide critical services," Oehler continued.
How well did Kronos respond?
Customers have not been without their frustrations, however. Pemberton, whose organization lost access to its Kronos-provided time clocks during the outage, said he was "disappointed" by the company's initial response; it was unable to provide a backend solution that would allow clients to continue using the company's solution with minimal disruption, he said.
"We had like 100 time clocks. Those clocks were not cheap. They were basically bricks for two months."
Senior HRIS Analyst, MHI Shared Services Americas
He also criticized the company's early communication around the incident. Pemberton said MHI Shared Services contacted Kronos' response team to open a case once it realized that an outage occurred, but he "didn't get any feedback on that" initially.
As knowledge spread of a larger outage affecting multiple employers, Pemberton, who used to work as an incident response representative for Kronos, said it was his impression that "even Kronos didn't understand what was going on."
"Unfortunately, there was a lot of frustration early on with a lack of communications from Kronos after the attack and how long it would actually result in downtime," Mellen of Forrester said. "That caused a lot of early friction and frustration."
In an email, a UKG spokesperson provided a statement on the company's response: "Core functionality for customers impacted by this incident was restored by January 22. To achieve that, we organized our teams to bring as many customers live as possible as quickly as possible. In light of the global pandemic, we had specialist teams dedicated to healthcare, first responders, and similar customers. These teams worked in addition to separate teams that were simultaneously working on other customer groups in parallel. Since the incident occurred, we have focused on communicating with those customers in a transparent, timely manner."
The timing of the incident "caused a lot of pain for some of these organizations," Mellen said. For example, healthcare providers impacted by the outage may have been managing outbreaks of the omicron variant.
But sources also acknowledged the company's response improved as time went on. "They have been much more transparent," Pemberton said of UKG, adding that the company eventually provided more frequent estimated timelines for service restoration.
UKG has been "generous at times" in financial negotiations following the incident, Pemberton noted, but he said he would like to see reimbursement beyond two months of service credit from the company. "We had like 100 time clocks. Those clocks were not cheap. They were basically bricks for two months," Pemberton said. "I want reimbursement for that, at least."
Nonetheless, MHI Shared Services also will retain Kronos moving forward, Pemberton said, and the organization plans to migrate from the Private Cloud product to UKG's Dimensions product, which Pemberton described as a more secure alternative in part because it is hosted on Google's cloud platform, rather than Kronos'.
"There's no vendor on the market that has the same capabilities that Kronos has for timekeeping, and we would have to train so many people," Pemberton said.
What precedent will the outage set?
Of the more immediate challenges caused by the Kronos ransomware attack, litigation — launched by affected employees and other parties — may be at the forefront.
Media reports have already begun to take note of challenges filed by workers who say they were owed back pay due to errors caused by the outage. In February, one New York City transit employee filed a putative collective action alleging that her employer unlawfully delayed payment of earned overtime wages owed to employees beyond their regularly scheduled pay days. In addition to employee-driven suits, Mellen said UKG could potentially face lawsuits from employers.
While Mellen said she was not familiar with any specific language around cybersecurity liability in a typical contract between payroll vendors like UKG and their clients, "it wouldn't surprise me if it was limited or quite vague." She added that some clients may seek to transition to different providers to avoid the risk of a similar incident in the future.
A more significant long-term takeaway may be that employers need to have their own plan to recover payroll data in the event of a similar incident, according to Pemberton. Employers, he said, "shouldn't rely on a vendor to be the end-all-be-all. You always need to have a backup plan."
Mellen offered up similar guidance, adding that security teams and HR operations should prioritize a strategy for communicating with employees around such incidents.
"It's something I don't think having a conversation will resolve, necessarily, but that constant communication with employees is important," she said. "It has to be a mix of that with action to ensure employees get the money they are expected to receive."
Moreover, the incident may serve as a cautionary tale to employers about the significance of ransomware attacks against vendors and the "existential" threat such attacks can pose to business, Mellen said. She recommended that HR teams work with information technology and security teams to develop backup solutions so employers can continue to run payroll if a vendor does not provide its own backup.
Vendors are paying attention, too. "UKG has learned a painful lesson, but it's a very difficult lesson to learn from," Pemberton said.