Concerns Linger Following UKG Ransomware Attack

​A long ordeal for customers of Ultimate Kronos Group (UKG) is nearing an end. The vendor has restored its time-keeping and payroll services after a ransomware attack disrupted the lives of thousands of HR professionals and employees alike.

But experts say fallout from the attack will continue, given that some customer data was stolen, companies will have to transition manual records back into UKG systems and shaken clients are questioning their future with the vendor.

In a public update on Jan. 22, UKG said it had restored core time, scheduling and payroll capabilities to all customers impacted by the ransomware attack on its Kronos Private Cloud system. The statement said UKG is now focused on the "restoration of supplemental features and nonproduction environments" and is offering video-based recovery guides to help customers reconcile their data.

The outage—which lasted more than a month for many UKG clients—forced thousands of organizations to scramble to create manual workarounds. It happened during a particularly challenging time of year; employers had to find ways to pay workers holiday pay and overtime as employees worked extra shifts to cover staff shortages caused by the omicron variant of the coronavirus and ongoing resignations.

UKG and companies using its services may be facing legal action. 

"Unfortunately, some customer data was stolen in the attacks and that creates a secondary concern for UKG and its clients," said Allie Mellen, a security and risk analyst with research and advisory firm Forrester. UKG confirmed in its latest public statement that the personal data of at least two of its customers had been "exfiltrated" or breached.

Cautionary Tale for HR Tech Vendors

HR technology analysts say vendors and their clients should brace themselves for similar attacks as more hackers train their sights on sensitive employee data rather than customer data.

"The reality is we're going to see more of these attacks," said Trevor White, a research manager specializing in HCM technologies with Nucleus Research in Boston. "The question for HR vendors is how they'll limit disruption to their customers as they go about solving problems related to ransomware and other cyberattacks. Unless you pay the ransom, these things can take weeks to solve."

Nabil Hannan, managing director for NetSPI, an enterprise security testing and vulnerability management firm in Minneapolis, said too many organizations still focus on protecting customer data at the expense of securing employee data.

"Hackers are getting more creative and focusing more of their efforts on finding ways to lock up systems that on their face may not seem as critical but that have far-reaching impacts, like HR data," Hannan said.

Among organizations affected by the UKG outage was Franciscan Health, a group of 14 hospitals in the Midwest. Ellen Page, director of talent acquisition for the organization, said an internal team led by information technology, payroll and HR shared services quickly stood up a manual system to ensure hospital employees got paid accurately and on time. 

"Some organizations impacted by the attack opted to simply pay people what they were paid in cycles before the outage, but we wanted to make sure employees were paid exactly what they were owed," Page said. "Because of staffing shortages caused by COVID and high patient numbers, many of our nurses were receiving incentive pay for taking on extra shifts, for example, and we didn't want to deny them that pay."

Page said although Franciscan's UKG service was recently restored, there remains considerable work to do to recover from the outage, including loading manual pay records from the past month back into the UKG system.

Preparing for Future Attacks

Data security experts say that customers of third-party providers like UKG not only need to ensure that vendors' data security practices are modern, robust and regularly tested before signing contracts, but they also need to review their own business continuity plans to prepare for the likelihood of similar cyberattacks.

Mellen said the UKG attack holds lessons for other HR vendors in fortifying backup systems so they can get back online faster. "It's not enough to simply follow best practices, you also have to constantly test the security you've implemented to make sure it'll actually protect you in the event of an attack," she said.

White said there can be inherent security risks in using private versus public cloud services. Private clouds are dedicated to just one organization and run on that company's own infrastructure, while public clouds are shared among different organizations on the Internet. Security experts say public clouds often are more hardened because they're regular targets of hackers and they tend to attract the best security professionals in the field.

"The UKG attack was on a platform where you're just not going to get the updates and security you would on a more modern public solution," White said. "In general, security on public clouds is tested and updated more regularly and is more robust than private clouds, which often have more outdated technology."

White said the after-care support from UKG for customers affected by the outage will prove telling. "We've had inquiries from both UKG clients and nonclients about wanting to upgrade from their current system and move to more-modern cloud offerings that their vendors have," White said. "But will UKG have the support staff to handle those transitions? And for those customers who don't want to move or upgrade right away, what will UKG do to assure them they have fixed whatever gaps may have existed in their security layer?"

Sam Grinter, senior principal analyst in the HR practice for Gartner, said he expects many affected UKG clients to move to new platforms with the vendor. "I anticipate part of the strategy going forward, for both UKG and Kronos Private Cloud clients, would be to migrate sooner than initially planned to more-modern platforms, which should have stronger security," he said.

Legal Exposure for Vendor and Clients

Attorneys say given that customer data was compromised and some companies weren't able to pay employees accurately during the outage, both UKG and its clients could be subject to lawsuits.

Vendor contracts are typically written with an eye toward data security issues. "I'm sure many impacted companies are looking closely at the terms of their contracts to see if there are grounds for a lawsuit," said Michael Bahar, co-lead of the global cybersecurity and data privacy practice at Eversheds Sutherland law firm.

Although there's an assumption that legal responsibility for data security falls primarily to a software-as-a-service vendor, that's not always the case, Bahar said. Contracts can be structured to share responsibility with the client.

"You can allocate certain responsibility and liability via contract, but data owners—the vendor's client—increasingly are not able to fully contract around their data security obligations because there is an expectation from regulators that the client will conduct proper, documented due diligence on the data security practices of the vendor," Bahar said.

In the UKG case, it's also possible employees impacted by the attack could sue, he noted. "Individuals could form a class action suit to claim they were underpaid as a result of the service outage or that their personal data was leaked as a result of their employer not conducting proper due diligence on the security practices of the vendor it contracted with," he said.

Dave Zielinski is principal of Skiwood Communications, a business writing and editing company in Minneapolis.