3rd Party Risk Management , Business Continuity Management / Disaster Recovery , Cybercrime
Attack on Kronos Causes Sainsbury's Payroll System Outage
'Contingencies are in Place,' Sainsbury's Spokesperson SaysSainsbury's, the U.K.’s second-largest chain of supermarkets, has confirmed that it suffered an outage in its payroll system caused by a cyberattack affecting its cloud-based payroll service supplier - the U.S.-based multinational firm Ultimate Kronos Group, which was hit by a cyberattack a week earlier.
See Also: A Strategic Roadmap for Zero Trust Security Implementation
A Sainsbury’s spokesperson tells Information Security Media Group, "We're in close contact with Kronos while they investigate a systems issue. In the meantime, we have contingencies in place to make sure our colleagues continue to receive their pay."
Sainsbury's is said to have lost "a week's worth of data for its 150,000 employees working in the U.K.," according to a report from the BBC.
"Multiple departments, including payroll, human resources (HR) and accounting are now using historical data and working patterns to make sure employees are paid the correct amount on time," the BBC reports.
Steven Hope, CEO and co-founder of Authlogics, says, "Contingency plans are key. In this incidence, it is reassuring to know Sainsbury’s has a contingency ... to ensure staff get paid for Christmas, especially because unpaid staff at this time of year could be costly in many ways."
When ISMG asked Sainsbury's about the impact of this outage, whether its data had been affected in the Kronos ransomware incident and the expected timeline for complete resolution of the issue, the spokesperson said, "For anything further, at this stage, it's best to speak to Kronos."
Ultimate Kronos Group, or UKG, told ISMG, "We recognize the seriousness of the issue and have mobilized all available resources to support our customers and are working diligently to restore the affected services."
Neither Sainsbury's nor Kronos has issued a formal statement about the impact of the outage.
Kronos Attack Update
In an update posted on Sunday, Kronos confirmed that it became aware of the cyberattack on Dec. 11, and its initial investigation determined that it was a ransomware attack. The attack affected the Kronos Private Cloud - or KPC - environment that hosts UKG Workforce Central, UKG TeleStaff, Healthcare Extensions, and Banking Scheduling Solutions, according to the update.
On Tuesday, KPC updated its list of FAQs related to this incident and told customers that only the products and solutions mentioned were affected. "Kronos Private Cloud is a private environment managed by UKG, where we host customer single-tenant solutions. In contrast, UKG Dimensions, UKG Ready, UKG Pro, and UKG HR Service Delivery are all completely separate code bases operated in completely separate environments and clouds from Kronos Private Cloud," it said.
”We are working with leading cybersecurity experts, and through our investigations to date have seen no evidence that the other cloud environments have been impacted," Kronos confirms.
Separate on-premises solutions for UKG Workforce Central and TeleStaff customers have also not been affected in this incident and remain functional, UKG says in its recent update.
Angry Customers
UKG's customers have raised concerns about the handling of the entire situation by the company. In a tweet, Will Weider, chief information officer at PeaceHealth, called the incident a "disaster."
This Kronos ransomware situation is a disaster for impacted organizations and, more importantly, the caregivers that work there. It is a reminder that “cloud” is not inherently better.
— Will Weider (@CandidCIO) December 19, 2021
A spokesperson for PeaceHealth tells ISMG that it has not been affected by the Kronos ransomware attack and that Weider was giving his personal opinion.
On the UKG's community feed, customers expressed anger at the company for not being transparent about the investigation and the timeline to reinstate normalcy.
"The communication from UKG has been poor on this situation. I am the administrator for our system and have not received the email referenced above. This will be a huge issue for our agencies," says a customer with the username dgraves51530.
Another customer asks why were there no backups used to restore services and another mentions blocking/disabling all ADFS and LDAP connections to UKG/Kronos Cloud, calling it an "untrusted entity."
Business Continuity Alternative
The ransomware attack on Kronos has affected several of UKG's customers - although no names have been mentioned - but the most badly hit are hourly workers who are not able to clock in and out of their shifts, keep track of paychecks or track paid leave, says Ashik Ahmed, CEO of Deputy, a workforce time scheduling and shift management solutions provider firm.
He says the Kronos attack has affected millions of shift workers by compromising their pay and paid leave during the holidays and that to help stranded businesses, Deputy is providing a business continuity alternative to Kronos' customers at no additional cost until the crisis is resolved. This will "enable them to continue to schedule staff, manage time and attendance, and calculate payroll through accurate time sheets," Ahmed says.
Kronos has recommended that its customers evaluate and implement alternative business continuity protocols, Ahmed says, "And that's exactly what we are planning to do - give an alternative until the situation is resolved," he tells ISMG.