The human resources impact of the Kronos ransomware attack


By: Chenee Castruita 

The unique combination of COVID-19 and a drastic decrease in the workforce found more workers putting in overtime this holiday season. Unfortunately, millions of workers last month experienced a delay not only in their packages, but in their pay as well. 

Kronos (Ultimate Kronos Group) provides human resource management services such as payroll, attendance and scheduling for organizations and municipalities across the globe. Its customers include healthcare organizations, universities, supermarkets, and cities.  

On December 11, 2021, Kronos recognized its Kronos Private Cloud was compromised by a ransomware attack. Kronos immediately began its investigation and engaged its cyber security team and insurer, and suggested affected customers adopt “alternative plans” to process payroll. By December 23, 2021, Kronos reported progress on its ability to restore customers’ data. By December 29, 2021, it reported having a detailed plan to carry out the restoration process, expected to take place in phases this month. 

Kronos regularly provided updates to customers through communication channels dedicated to the incident. By the end of December, it was able to offer temporary solutions to customers. Kronos also reported the incident to applicable regulatory agencies. Still, employers affected by the ransomware attack will be sorting this out for weeks to come. 

Customers used certain Kronos functions to track employee time entry, and to calculate and track pay including overtime or holiday pay. While offline time clocks still worked, Kronos and its customers were unable to access or collect that data. Organizations were forced to move to other methods of tracking, such as paper entry. Left without access to time worked, at least one company reportedly resorted to averaging the prior three paychecks to determine December pay.  

While a payroll vendor falling victim to ransomware might mitigate any penalties under the Fair Labor Standards Act, such an incident does not eliminate an employer’s duty to timely and correctly pay its employees. 

Additionally, Kronos has reported that a “relatively small volume” of data has been exfiltrated by the threat actor, the identity of which has not been identified. While the extent and nature of data compromised is likely still being assessed, this incident should serve as a reminder to any organization to always conduct thorough vendor data security due diligence in the contracting stages. In preparation for a data security incident it is also prudent to stay up to date on state data breach notification and contractual requirements, with all third-party vendors, to understand a vendor (“data collector”)’s responsibilities for 1) timing (and frequency) of disclosure to your organization (“data owner”), 2) reporting to applicable regulators, 3) notification to impacted individuals (employees), 4) sharing details about the event, 4) data recovery or recreation, and 5) compensation (particularly for service(s) “downtime”) in the event of a data security incident such as this one.   

FMG attorneys will continue to monitor the fallout of the Kronos ransomware attack. If your organization was affected, or if you have questions regarding your obligations as an employer or regarding your vendor’s data breach notification obligations, contact Chenee Castruita at [email protected], or your FMG attorney.