Kronos started notifying its customers over the weekend that it was the victim of a ransomware incident affecting the Kronos Private Cloud products Workforce Central, TeleStaff, Healthcare Extensions and Banking Scheduling Solutions. Kronos has not confirmed whether the incident is related to the Apache log4j zeroday vulnerability. Kronos has advised its customers that it may take several weeks to resolve and that customers should implement alternative business continuity protocols since the products might not be able to be used for several weeks. For many companies, this means time entry and payroll services may be disrupted. It is reported that many brand name companies are being affected by the attack on Kronos, and the American Hospital Association has stated that hospitals and health systems have been affected, which is particularly difficult with the spike in Omicron COVID-19 cases in the United States.

Each customer will have to determine how to implement alternative business continuity protocols to function without the Kronos services, and what data may have been compromised in the attack, but at this point, without more information, it is a waiting game to find out what happened and what was compromised. These incidents take time to investigate and resolve. Kronos has provided a web page of updates: https://www.ukg.com/KPCupdates

One thing we can do now is to develop backup and contingency plans around critical third-party vendors–especially in this day and age of catastrophic cyberattacks. It’s one thing to complete a tabletop simulation for your own company, but it’s just as important to simulate how you would function without the services of a critical third-party vendor.

Photo of Linn Foster Freedman Linn Foster Freedman

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her…

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her practice on compliance with all state and federal privacy and security laws and regulations. She counsels a range of public and private clients from industries such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine and charitable organizations, on state and federal data privacy and security investigations, as well as emergency data breach response and mitigation. Linn is an Adjunct Professor of the Practice of Cybersecurity at Brown University and an Adjunct Professor of Law at Roger Williams University School of Law.  Prior to joining the firm, Linn served as assistant attorney general and deputy chief of the Civil Division of the Attorney General’s Office for the State of Rhode Island. She earned her J.D. from Loyola University School of Law and her B.A., with honors, in American Studies from Newcomb College of Tulane University. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.