2021 was the year that ransomware went viral, and not in a good way. Although ransomware is far from a new scourge, it became household news this year as extremely high-profile attacks crippled main street companies, even leading to gas lines at the pumps on the east coast of the United States. This year, talk of “part 2” of ransomware events – data exfiltration – also amped up the ransomware risk profile as more companies begin to realize that recovering now inaccessible systems are just the tip of the spear when it comes to dealing with a complete ransomware recovery. Attackers have learned that companies may not pay to recover access to their systems, but the Bitcoin spigot will turn to full stream when the potential reputational and legal risk associated with data exposure becomes apparent.
What could be more compelling than taking down a pipeline company in terms of potential for data loss? What about a system that houses the real keys to the data kingdom – social security numbers, bank account numbers, and all manner of other personally identifiable information commonly associated with human resources and payroll systems?
Earlier this week, that nightmare scenario came to pass as timekeeping and payroll giant Kronos became the latest to succumb to a ransomware attack. According to the company, their solutions using their Kronos Private Cloud platform are unavailable, leaving untold numbers of their client organizations unable to account for time and attendance and send paychecks to employees. Fortunately, according to Kronos, customers that use these services in an on-premises deployment are not impacted by the ransomware event.
Unfortunately, Kronos Private Cloud customers around the world are currently scrambling to deal with timekeeping and payroll services they normally turn to Kronos to provide. Worse, it might be a while before these customers are back in the payroll business. This was the guidance provided by Kronos:
“Given that it may take up to several weeks to restore system availability, we strongly recommend that you evaluate and implement alternative business continuity protocols related to the affected UKG solutions.”
To say that this is crippling for many organizations would be a vast understatement. I’ve been reading anecdotes about companies reverting to paper because they don’t have a fallback system and, even with Kronos urging customers to seek other solutions, these kinds of systems don’t exactly deploy in hours. It can take weeks or months of planning. Many companies have robust disaster recovery plans in place if their own systems go down, but for those that use SaaS solutions or other solutions provided by a vendor, they rarely have a backup system available at the flip of a switch. They rely on their provider for these things. Whether that’s a good or bad strategy is debatable, but ruminating on that is pretty pointless when your employees want to get paid and you have no way to send them their checks.
To that end, a lot of companies are currently working hard to make sure people get paid on time, and they’re sometimes failing. And, again, anecdotally, I’ve seen comments from impacted companies indicating that they’re just paying people based on what they knew prior to the outage and they’ll ‘true up’ once they regain access to systems. If they underpay, some companies have indicated that they’ll write off-cycle checks to fix it and if they overpay, they’ll deal with claw back (maybe) later. It’s essentially a triage situation right now and companies just need to get money out the door.
The outage is just part of the problem, though. One serious issue I have not yet seen information around is data exfiltration. Were the attackers able to snag data, which could include SSNs and bank account information for a whole lot of people? If so, it transforms this incident from a major inconvenience into a nightmare scenario for both Kronos and all of its impacted customers. I haven’t been able to locate information about potential data exfiltration yet. If you have heard something, let me know on Twitter (I’m @otherscottlowe).
As is always the case in these kinds of incidents, the finger pointing began super early. A number of people have expressed displeasure with how Kronos is handling this situation, expressing dissatisfaction around frequency and depth of communication. Others are placing blame at their employers – Kronos clients – indicating that they should have had in place more robust business continuity plans around payroll. I even saw a comment from one particularly upset person indicating that, if he didn’t get his check on time, he’ll file a wage claim with appropriate authorities.
It’s important to remember that there are a LOT of victims here, from the employees of Kronos’ clients to the client organizations themselves. It’s also clear that Kronos itself is a victim. That said, any sympathy one may have for Kronos could evaporate once we learn more about how this attack took place and which preventative measures failed.