- Kronos services could be out for several weeks.
- The company suggests using alternatives until it’s fixed.
- Most companies will rely on a manual process for tracking timesheets in the meantime, experts say.
A ransomware attack striking one of the largest human resources companies could impact how employees get paid, clock in for work and track paid time off.
HR management company Ultimate Kronos Group confirmed a ransomware attack impacted several services companies use to manage their employees and payrolls.
The attack, which UKG discovered on Saturday, affects the Kronos Private Cloud, which includes UKG Workforce Central, UKG TeleStaff, Healthcare Extensions, and Banking Scheduling Solutions, said the company.
“We are working with leading cyber security experts to assess and resolve the situation, and have notified the authorities,” said Bob Hughes, executive vice president for UKG, in a post on the company’s website. “The investigation remains ongoing, as we work to determine the nature and scope of the incident.”
Disney, ESPN, ABC could leave YouTube TV as two sides work toward new deal
Billionaire is Time magazine’s Person of the Year
Here’s everything we know so far:
How long before it’s fixed?
UKG said all products linked to the Kronos Private Cloud are unavailable, and it could take up to several weeks before service is restored.
The company advises customers consider “alternative business continuity protocols” related to any Kronos services they used.
In a new statement Tuesday, UKG said any timeclocks used by companies still record and store when employees work offline until connectivity returns.
What is log4j? And is this connected?
Log4j is a popular logging package for Java software, used in games like “Minecraft” and banking and financial applications, says Jon Clay, vice president of threat intelligence at Trend Micro.
A critical vulnerability was discovered in the software, and according to internet security firm Trend Micro, this flaw has already been exploited. The flaw is considered so serious because the affected software is used in a wide range of devices that use Java software.
“Organizations and consumers should immediately patch any applications or systems affected by this bug,” said Clay.
Companies including Google, IBM and Amazon have been scrambling to address the vulnerability.
So, is this vulnerability related to what happened with Kronos? UKG said there’s no indication of a link.
“We are investigating whether or not there is any relationship between the security incident described above and the Log4j vulnerability,” said UKG in its latest update.
How are affected companies responding?
UKG boasts of several notable clients, including Tesla, Puma, the YMCA and several universities and hospitals.
In a statement Monday, the University of Utah said it has established a task force to determine how the ransomware attack may have impacted their systems.
“Paychecks will be distributed on schedule, although there may be adjustments at a later date to reflect corrections as needed,” said the university.
The City of Cleveland said its employees will still receive pay without interruption despite the attack, according to local reports.
In a statement Monday, Springfield, Massachusetts, one of Kronos’ customers said the recording of city workers’ schedules and hours could be disrupted by the attack.
“The City of Springfield would like to reassure all city employees that contingency plans for recording employee schedules and hours will be implemented to mitigate the potential adverse effects this incident might cause and to make sure that employees will continue to receive their regular scheduled pay,” said the city in a statement.
What should I do if I’m affected
If you’re an employee working for a company using Kronos systems, it’s likely a representative from payroll or human resources has already contacted you, said Amber Clayton, director of the Knowledge Center at the Society for Human Resource Management.
If not, employees should reach out to someone in HR or payroll to determine next steps.
Most companies will rely on a manual process for tracking timesheets or pay in the event a system goes down, Clayton said.
“Some employers may require them to do that or ask them to write down their own hours,” Clayton said. “If not, it’s always a good idea still to go ahead and do that for yourself so that you know what you’ve worked and how many overtime hours, things of that nature, then that way you can compare it to what the employer has and make sure that you’re paid appropriately.”
The Associated Press contributed to this report. Follow Brett Molina on Twitter: @brettmolina23.