A ransomware attack on one of the largest HR companies could affect the number of paid employees and track their paid leave.
Human resource management company Ultimate Kronos Group (known as Kronos) said it suffered a ransomware attack that could have taken its systems offline for weeks.
Companies that rely on this software are scrambling to find fallbacks to ensure their employees get paid — including issuing paper checks, some for the first time in years.
Kronos is widely used across the country by businesses and governments to track employee hours and pay wages. Its many clients include city governments, university systems, and large corporations. (NPR also uses Kronos.)
According to a UKG spokesperson, the ransomware only affects customers who have used a specific product called Kronos Private Cloud.
“We took immediate action to investigate and mitigate the issue, alerted affected customers and notified authorities, and are working with leading experts on the matter. We recognize the seriousness of the issue and have mobilized all available resources to support our customers and are working,” the spokesperson said in a statement to NPR.
Which employers are affected?
Dozens of companies and government organizations this week announced that they had been affected by the attack – a number far below the likely impact, given the prevalence of Kronos.
The attack included scheduling products specifically designed for healthcare systems, financial institutions, and public safety officers.
Throughout Monday and Tuesday, many employers informed their employees that they had been affected – such as employee of the New York Metropolitan Transportation Authority, hospital worker in San Angelo, Texas., and public water workers in Honolulu.
The city of Cleveland, which employs thousands of workers, said in a statement on Monday that it was one of the recruiters who relied on hacked software, along with Oregon Department of Transportation.
And some universities, such as University of Utah, George Washington University and Yeshiva University in New York, also reported being affected.
How does it affect wages?
The level of influence each employee has depends on how their employer uses the software.
Employers that use Kronos to count employees on and off shifts can require workers to manually track start and end times, while companies rely on Kronos to issue pay slips paper checks can be sent as long as the service is down.
Employers can also choose to issue general wages to compensate employees for scheduled base hours, rather than actual hours worked – and then introduce revisions as needed.
The Fair Labor Standards Act requires employers to to track employee hours regardless of timekeeping method used (in other words, through Kronos or a manual time card or otherwise), then pay their workers instantly. Individual states can govern exactly how often those paychecks are due.
What about personal data?
As for personal data, what employee information is stored in Kronos – and which could therefore be exposed to attackers – will vary from employer to employer.
In statements to employees, several companies said they believed the most sensitive personal data, including Social Security numbers, was not breached – but City of Cleveland warns employees that the last four digits of the Social Security number may be at risk.
How long before service is fixed?
According to a blog post by Bob Hughes, the company’s chief customer and strategy officer, the service could be up and running for “several weeks”. The post was published on Sunday, although it was subsequently inaccessible.
Because repairs can take enough time to affect payroll and scheduling, the company has urged employers to seek “alternative business continuity protocols” while they progress. repair practice.
Is this related to Log4j?
As of Tuesday, it was unclear how ransomware attackers were able to take the software offline.
The incident happened after revelations about a major vulnerability in a piece of software called Log4j commonly used with the Java programming language.
The Log4j vulnerability allows hackers to remotely take over a device or system running software, allowing them to install cryptocurrency miners or steal personal data.
Because Java is one of the most widely used programming languages in the world, cybersecurity researchers have warned that the effects could be widespread.
Allan Liska, an intelligence analyst at cybersecurity firm Recorded Future, said there is still no basis for the Kronos hack to be linked to the Log4j vulnerability.
“It’s possible that the attacker was in Kronos for weeks to launch the attack before Log4J was reported. That doesn’t mean the two weren’t connected. But the best current evidence suggests see the opposite,” he told NPR.
Additional reporting by Jenna McLaughlin.
