On December 13, 2021, Ultimate Kronos Group (UKG) notified customers that they had found unauthorized activity impacting UKG solutions using Kronos Private Cloud. Their investigation revealed the worst-case scenario: ransomware. 

According to the company, the incident affected the Kronos Private Cloud, where some of their UKG Workforce Central, UKG TeleStaff, Healthcare Extensions, and Banking Scheduling Solutions are deployed. Products not expected to be affected by the attack include UKG Pro, UKG Ready, and UKG Dimensions, as well as any solution deployed in on-premises or self-hosted environments.

As a result of this attack, global customers who use the cloud-based solutions have been knocked offline. Some even had to resort to pen-and-paper processes to try and pay their employees (right in the middle of the holiday season). 

This article will explain what we currently know about the ransomware attack, as well as how to prepare once it’s safe to go back online.

What Happened to UKG Kronos Private Cloud  

UKG reports that on December 11, they noticed the unusual activity and immediately took action to investigate and mitigate the issue. The company has not disclosed specific details about the hack or the nature of the ransomware demands, but ransomware has become one of the most pervasive threats to businesses today. (So much so that experts from Cybersecurity Ventures estimate that one attack takes place every 11 seconds.)

UKG said a “relatively small volume of data was exfiltrated” by the attacker, and that they’re in the process of analyzing the data and notifying customers. It’s important to keep in mind, however, that this process could take weeks or even months to fully determine the scope of the incident. In the meantime, UKG reports that they’re working with leading cyber security experts to assess and resolve the situation.

How Have Clients Been Impacted?

Kronos Private Cloud is used for HR purposes, meaning clients share sensitive employee information with UKG. This presents an elevated risk of data compromise. The ongoing investigation into the ransomware attack against UKG is still trying to determine if any client data was exfiltrated. Many clients have received confirmation from UKG that none of their data was compromised during the ransomware attack. Others have sought help from their cyber insurance policies to ensure they adhere to privacy regulations if they find that their data was compromised. At this time, no clients have reported that their networks or computer systems were compromised during the attack. 

The Kronos attack caused business interruption for some clients who had to process paychecks and timekeeping manually. It is unclear if clients can recover these expenses from their cyber policies’ business interruption coverages, as it depends on how the policies define business interruption loss or extra expenses. Some cyber insurance policies define extra expenses as those incurred to reduce loss of income, while others interpret it more broadly to include expenses over and above the company’s ordinary expenses. Clients affected by the attack are advised to review their service agreements with UKG to see if they can recover any expenses, including making an indemnification demand against UKG if necessary. Thankfully, UKG will cover notification and monitoring protection services should clients have to seek coverage for data incident response expenses.

Key Steps to Managing Third-Party Risk

Compile Your Vendors

Before you perform a risk assessment, you need to have a list of all your vendors handy. This can be difficult to accomplish for organizations that work with many different vendors. However, it is imperative that you catalog all the vendors your organization works with to perform an accurate risk analysis.

Analyze Risk Associated with Each Vendor

After you have a list of every vendor your organization works with, it’s time to assess the security posture of each one. If a vendor has poor security posture and lacks a robust system of best practices to ensure data integrity, then it could pose a risk to your enterprise’s operations.

Prioritize Vendors Based on Risk

After analyzing the risk associated with every third-party vendor, the next step is categorizing them based on their impact. If a vendor poses a significant amount of threats to your business and can be swiftly replaced, it would be wise to do so to mitigate any long-term security risks. Categorizing your vendors will assist in finding potential security threats and determining where a change is beneficial.

Monitor Vendors Continuously

Performing a risk assessment once is not enough to safeguard against security threats. As technology evolves, every business must adapt to ongoing changes. Continuously monitoring third-party vendors will allow you to stay ahead of any changes or threats and quickly respond.

Remediation and Recovery 

Due to the nature of the attack, the recovery process is happening in parallel phases. As of writing, customers should begin receiving information about their organization’s restoration process between January 3 – 7. 

During Phase 1, UKG will run customer environments through a validation and scanning process to check systems for any corruption, malware, or other issues. Next, they’ll implement what they call “hardening measures” to the Kronos Private Cloud. These will include patching for log4j and other vulnerabilities, resetting passwords, and further cyber-hygiene measures. 

Finally, once those steps have been completed, you’ll be allowed to restart your organization’s environment and validate that your system is ready for production. 

How Surety Systems Can Help

We understand that this has been a very stressful time for many companies scrambling to keep their payroll practices going without having access to their software, not to mention the additional stress of the potential impact to your data. And could there be a worse time than the holiday season for this sort of attack?

Our senior-level UKG Kronos consulting team understands these challenges and can help guide you through the process of getting your system back online. Once you’ve regained access to your system, there will be a laundry list of activities to be completed before you can get everything back in action. You’ll need to reschedule events, validate historical data, and reconcile data that you’ve been tracking offline during this downtime. 

Our experienced Kronos experts can help support you through this process, so that you can get back to normal business operations as quickly as possible, without sacrificing data integrity.  Contact us today to learn more.