On Dec. 11, 2021, Ultimate Kronos Group (UKG), one of the largest HR software companies in the world, was hit with a crippling ransomware attack. This hack impacted the Kronos Private Cloud, a data storage entity for multiple company services, including UKG Workforce Central and its payroll systems. As a result, employers can no longer track work hours or schedule shifts, and employees are unable to request paid time off or check paystubs. Many customers have had to draft contingency plans to deal with the ongoing service outages, causing payroll delays for thousands of workers, including hospital staff. So what happened, and how is UKG rectifying the situation?
What happened?
According to a statement from Bob Hughes, executive VP of UKG, Kronos "became aware of unusual activity impacting UKG solutions using Kronos Private Cloud" on Dec. 11, 2021. They quickly identified the "unusual activity" as a ransomware attack affecting UKG Workforce Central, UKG TeleStaff, Healthcare Extensions and Banking Scheduling Solutions. Since the Kronos Private Cloud houses a significant amount of the company's data, this breach has also exposed the information of employees and many of UKG's customers.
The impact
As a massive international HR management platform, Kronos deals with many high-profile private and public-sector customers around the world. In the U.S., this includes Tesla, the New York Metropolitan Transportation Authority, the Oregon Department of Transportation and many other smaller local authorities. Some of the customers impacted the most by the hack have been emergency services, fire and police departments and healthcare facilities. According to a report by News4Jax in Jacksonville, Florida, three of the city's local hospitals are suffering from payroll delays while struggling to log work hours and manage extra pay, leading to many disgruntled employees. And this experience doesn't seem to be uncommon among Kronos customers. The Society for Human Resource Management (SHRM) indicates that around 2,000 organizations rely on the affected software, which remains non-operational at the time of writing. However, the damage doesn't stop there.
The attack targeted UKG's private cloud-based applications along with company data centers in the U.S., Germany and the Netherlands. UKG has admitted that some customer data was stolen, according to The Stack. The affected data centers housed personally identifiable information for thousands of customer employees, leaving many worried about privacy and identity theft. It's especially concerning as the hack not only disabled the private cloud but also prevented communication with backup environments. Kronos restored communication by the end of December and now has full access to the backup data storage.
UKG's response
Following the attack's discovery on Dec. 11, Kronos responded quickly to mitigate the impact. In the previously mentioned statement from Bob Hughes, he says, "We are working with leading cyber security experts to assess and resolve the situation, and have notified the authorities." Since then, the company has frequently updated its FAQ about the incident. According to the latest status on Jan. 6, 2022, Kronos is "making significant progress on [its] restoration efforts." However, many customers remain unsatisfied as the process is expected to take several weeks.
The Latest Updates
As of early January, Kronos was able to restore its core services and regain access to backup data and production environments. The company is now working on validating the integrity of the information and customer environments and starting pilot tests to bring client systems back online. While this is good news, the complete remediation process is likely to take a long time, as Kronos needs to address each customer's unique environment.
Is Log4j to blame?
The recent news exposing the Log4j exploit, also known as Log4Shell, has left many wondering if the attackers used this vulnerability in the UKG breach. After all, there were 1.8 million documented exploit attempts in just the first week following Apache's announcement of the flaw. While security experts were quick to discover and patch Log4Shell, it can often take companies months to update their systems fully. Unfortunately, many tech companies are still scrambling to address the threat and fix their Java-based logging systems.
As of now, it's unclear whether or not Log4Shell played a role in the UKG hack. As the company states on its Kronos community website, "The Log4j2 vulnerabilities CVE-2021-44228 and CVE-2021-45056 have been remediated across all UKG products, and we are actively addressing the Log4j2 vulnerabilities for CVE-2021-45105." However, in a statement given to the SHRM, UKG officials state that they're still investigating any connection between the recent data breach and Log4Shell.
Prepare your business for cybersecurity threats
While the attack vector for the UKG attack remains unknown, there are a few steps companies can take to defend against potential threats. To help boost your organization's cybersecurity, Inventu offers a terminal emulation tool that can protect against data breaches.
Here at the Inventu Corporation, we equip organizations of all sizes with a revolutionary web terminal emulation tool called Inventu Viewer+, a high-performance emulation solution that is built with C at its core. Inventu Viewer+ supports SAML 2.0 and other identity technologies to enable securing your critical mainframe applications. This allows the deployment of reliable and safe software using clean HTML and JavaScript hosted on secure Windows servers. All in all, the Inventu Viewer+ web terminal emulation meets employer and staff expectations in a way that feels both familiar and simple. Contact us today and see how Inventu can help you integrate your active terminal emulation with the best web identity frameworks available.
