A month-old ransomware attack is still causing administrative chaos for millions of people, including 20,000 public transit workers in the New York City metro area, public service workers in Cleveland, employees of FedEx and Whole Foods, and medical workers across the country who were already dealing with an omicron surge that has filled hospitals and exacerbated worker shortages.
In the weeks since the attack knocked out Kronos Private Cloud — a service that includes some of the nation’s most popular workforce management software — employees from Montana to Florida have reported paychecks short by hundreds or thousands of dollars, as their employers have struggled to manage schedules and track hours without the help of the Kronos software.
Though Ultimate Kronos Group, the company that makes Kronos, says that it expects systems will be back online by the end of January, affected employers say they don’t yet know for sure when they will actually be able to access their systems and information.
The additional burden won’t end once Kronos is back: Finance and human resources departments around the country face weeks of additional work bringing the manual records they have collected over a month or more back into the Kronos system. In the most severe cases, that backlog could delay issuing W-2s and other tax information.
“I can say that the timing wasn’t the greatest, with end of year tax implications and people, most importantly, looking for their checks,” said Paul Patton, the chief human resources officer for the city of Cleveland, which has set up a “war room” of administrative staff working to reconcile pay for the city’s 8,000 employees.
Now that the disruption has proven to be major, some employers are considering lawsuits or other legal challenges to their contracts with UKG.
That includes the New York City area’s Metropolitan Transportation Authority. MTA has “taken the first steps toward initiating legal action,” said Eugene Resnick, an MTA spokesperson.
The hack is disrupting major public and private employers
Thousands of employers rely on Kronos products that were knocked offline, including some of the nation’s largest private employers such as FedEx, PepsiCo and Whole Foods. Public employers, such as Prince George’s County, Md., and the University of Utah, succumbed too.
About 8 million total employees are affected by the outage.
In Santa Fe, N.M., most of the city’s 1,500-plus employees are filling out spreadsheets every two weeks to track their hours, rather than use the cloud-based software timecards that are customized to the needs of each city department.
Workers all across the city are affected by the Kronos outage, from the libraries to the police and fire departments, said Bradley Purdy, the city’s chief information security officer.
“Just like everybody else, we’re driving them crazy, saying, ‘What’s the latest?’,” said Purdy. “If I was in their shoes, I’d be overly cautious too. They don’t want to bring everything back up and all of a sudden have a repeat.”
Employers have turned to a variety of manual solutions to cope with the temporary loss of Kronos. Some have asked employees to submit Google Forms every two weeks; others have simply asked employees to send their hours by email.
Others, like the city of Cleveland, have chosen to estimate their workers’ hours for now, whether by issuing paychecks based on an employee’s scheduled hours, or duplicating paychecks from previous pay periods.
That has resulted in paycheck shortages for some employees, especially those who worked overtime or on holidays. Federal labor law requires those employers to retroactively correct paychecks when they are able.
Health care employers have been hit particularly hard
For health care employers, the timing could not be worse. “A significant number” of the nation’s hospital systems and health care employers have been affected by the Kronos outage, said John Riggi, the American Hospital Association’s senior advisor for cybersecurity and risk.
One of the Kronos products knocked offline was designed specifically for health care providers to help them manage the complex employee schedules at 24-hour facilities.
The outage is an unneeded administrative nightmare timed precisely as the omicron surge is hitting hospitals, Riggi said.
“If you divert a clinical manager to help manual processing of payroll and timekeeping, obviously that’s taking them away from their clinical management duties,” said Riggi. “As we always do, hospitals and health systems get it done and care for patients, but under additional stress and burden that they don’t need right now.”
The attack has affected hospital systems and healthcare employers of all sizes – from small, remote rural hospitals up through urban multi-hospital medical systems, according to the AHA.
Some have struggled to pay workers accurately. Employees across the country have turned to their unions, social media, or local news outlets to report inaccurate paychecks.
Employees of the University of Florida Health system in Jacksonville told local TV station News4Jax that they have not received overtime or holiday pay for six weeks. In Montana, more than 250 nurses at Missoula’s Community Medical Center have missed out on pay due to the hospital’s decision to pay employees by duplicating an early December paycheck, according to a letter from the Montana Nurses Association reported by The Missoulian.
Affected employers have committed to correcting worker pay once Kronos systems are back online.
But for workers who live paycheck-to-paycheck, losing out on overtime and holiday pay is difficult, even if their pay is eventually corrected.
If the outage is prolonged, what is now a bad situation could become a nightmare for health care systems if workers become so exasperated that they choose to leave for employers whose payroll systems are intact.
Riggi and the American Hospital Association acknowledge that the ultimate responsibility for the disruption belongs to those who launched the ransomware attacks. “But that being said, there is still great disappointment in the field with Kronos, in terms of lack of initial transparency as to the extent of the disruption and in terms of initial backup procedures as well,” he added.
UKG isn’t saying how this happened and who is responsible
UKG has been tight-lipped on details about the attack and who is responsible. (The incident appears to be unrelated to the recently discovered Log4j vulnerability, the company says.)
“We took immediate action to investigate and mitigate the issue, have alerted our affected customers and informed the authorities, and are working with leading cybersecurity experts,” said UKG in a statement shortly after the attack was announced in mid-December.
The company has hired Mandiant, a cybersecurity firm, to conduct an investigation of the incident and West Monroe, a digital consulting firm, to help restore operations.
Ransomware and other cyber attacks on private-sector corporations are increasingly common. President Biden has made combating cybercrime a priority of his administration. The Justice Department indicted two ransomware criminals late last year.
“A pretty juicy target”
As centralized providers of mission-critical software to thousands of employers nationwide, companies like UKG are at constant risk of cyber attacks, experts said.
In the eyes of ransomware attackers, who seek to maximize their leverage to extract as large a ransom as possible, a workforce software provider like UKG during the holiday season would be “a pretty juicy target,” said Scott Kannry, the CEO of cybersecurity firm Axio.
“During the most inopportune time for somebody like that to go down, you stand a better chance of getting somebody to cut you a big check to get out of it,” he said.
Now, as UKG begins to restore its systems, it will soon face another round of consequences: legal action and lawsuits.
Some of those legal threats may come from employers, such as MTA in New York.
Others will come from workers. After Larry Kroeck, a cafeteria employee at Pittsburgh’s Allegheny General Hospital, asked about 54 hours of pay missing from his paycheck, supervisors told him “nothing could be done and there were 2000 other Larry Kroecks with the same problem,” according to a lawsuit filed by Kroeck this week that names both UKG and the hospital as defendants.
The hack could potentially have jeopardized personal information
A class-action suit filed last week in the Southern District of Florida alleges more than $5 million in damages stemming from what it calls UKG’s “failure to properly secure and safeguard personal identifiable information.”
What personal information was breached depends on how individual employers used UKG’s various services. Many employers warned their workers that some information is likely in the hands of attackers, including names, contact information and basic employment information.
For some, the breach could be more severe: The city of Cleveland, for instance, warned its employees that the final four digits of their Social Security Numbers were compromised.
A spokesperson for UKG declined to comment on the lawsuits. “Our investigation is still ongoing and we are working diligently with cybersecurity experts to determine whether and to what extent sensitive customer or employee data has been compromised,” UKG wrote in a public update on Dec. 28.
Perhaps more simply, the breach may cause UKG to lose customers to its competitors. “Ransomware, more than the cost of anything else, just hurts your reputation,” said Purdy, the information security official for the city of Santa Fe.
Workforce management software is traditionally “sticky,” a term in the software industry that means it can be difficult for customers to switch to a competitor. But experts said that the length and severity of the disruption will have employers taking a second look, even if they ultimately choose to stay with Kronos.
“I’m sure everybody’s going to be looking at their contract a little closer,” said Purdy. “And when those contracts come up for renewal, they’re going to make sure there’s a lot more language on what to do in this kind of scenario.”