UKG Kronos Private Cloud Status Updates Archive

Below is an archive of all past updates.

Jump to a specific update:

Status Update as of Jan 14, 2022

Dear Kronos Private Cloud Customers –

As promised, today we are providing our weekly status update on our KPC recovery efforts. We will continue to provide these updates on a weekly basis until our recovery process is complete.

KPC Recovery Progress Update

  • At this time, we are pleased to report that we have informed over 1,000 affected customers that their environments are back online and ready for them to log-in. We are ahead of schedule as it relates to our January 28 target date for restoration of all customers.
    • For those customers who are in the process of utilizing our Recovery Guides to reconcile their data and restore functionality to their solutions, we have created a series of videos that provide step-by-step instructions for each guide. These can be found on the KPC Resource Center on Kronos Community here.
  • If you have not yet been notified that your environment is ready for you to reconnect and validate, please know we're working around the clock and have a process that is working efficiently and effectively to bring remaining customers back online.
  • As we have previously communicated, you will receive updates when you reach key milestones in the recovery process (Server Recovery, Database Recovery, Application Readiness, Validation and Reconciliation). In the meantime, please feel free to reach out to your Recovery Liaison for more information.

KPC Security Enhancements Update

  • It is important to us that you understand the detailed process that we are following to get every impacted customer ready to restore connection to the KPC:
    • To ensure the security of each restored customer environment, we are following a systematic approach that requires each system in the KPC to return to operation only after it has been scanned, rebuilt (if needed), reviewed by our product teams, and cleared for operation by our security experts.
    • This meticulous approach enables us to be highly confident that we have eliminated any security threats associated with this incident before we deem a system to be clear for operation.
    • Other steps we are taking to enhance the security of each restored customer environment include assisting our customers in identifying any needed software patching specific to their environment, as well as implementing a range of system hardening measures to strengthen the defense of the KPC environment overall.
  • UKG’s corporate IT systems, including UKG’s email system, have not been affected and remain online.
  • We are only restoring individual customer environments when we have completed a rigorous process and are confident that the customer may safely reconnect.

Forensic Investigation Update

  • We also want to provide an update on the progress we’ve made on our forensic investigation into this incident.
  • Our investigation remains ongoing and we continue to work diligently with cybersecurity experts.
  • At this point in the investigation, we have identified and analyzed a relatively small volume of data that was exfiltrated by the threat actor, and have notified affected customers of these findings.
  • Any customer whose sensitive business data and/or employee data is confirmed to have been exposed as a result of this attack will be notified by UKG consistent with our obligations, and we will take appropriate steps to support these customers in protecting affected individuals.
  • When our forensic investigation is complete in several weeks, we will have additional information to provide upon request.

Thank you again for your continued patience and support as we advance our recovery process. We are encouraged by the progress we’ve made over the past week and look forward to bringing many more customers back online over the next several days.


Status Update as of Jan 7, 2022

Dear Kronos Private Cloud Customers –

At this point in our recovery process, every impacted customer should now be in contact with their designated Recovery Liaison who will be available to answer questions and share progress updates directly throughout the duration of the recovery process.

  • Since impacted customers are now working directly with their Recovery Liaisons, we are going to shift our regular updates to now take place on a weekly basis. Those weekly updates will provide an overall view of how our recovery process is progressing. We will, however, continue to provide direct updates to customers as they move through the recovery process.
  • While the dedicated team overseeing our [email protected] inbox will continue to field any additional questions, you can direct specific questions about your system to your Recovery Liaison.

We appreciate your patience and ability to adapt and work alongside our teams through this process. The security of your systems is of utmost importance to us, and we are continuously working toward a full recovery for all customers.


Status Update as of Jan 6, 2022

Dear Kronos Private Cloud Customers –

We are currently making significant progress on our restoration efforts. All impacted customers should now be in contact with their dedicated UKG Recovery Liaison.

  • Recovery Liaisons will continue sharing information through the duration of the recovery process and following up on any communications you receive.
  • Your designated Recovery Liaison will be able to provide an update on the status of your system recovery by the end of the day tomorrow, January 7th.
  • As a reminder, to prepare for your restoration, please download and complete the appropriate checklists for UKG Workforce Central, Telestaff, HR/Payroll, and Banking Solutions/FMSI – all of which can be accessed using the links below:
  • You must have a UKG Kronos Community log-in to access these checklists. If you are an affected customer and do not have access to the Kronos Community, you can register HERE.

Thank you again for your continued patience as we work around the clock to restore your system quickly and securely.


Status Update as of Jan 5, 2022

Dear Kronos Private Cloud Customers –

Yesterday, impacted customers should have received an email from your organization's dedicated UKG recovery liaison.

Each organization’s designated recovery contact is available to share information with you along the way to help set expectations for your time to recovery and what you can do to prepare for the restoration of your system.

Your designated recovery liaison will update you on the status of your system recovery by end of day, January 7th.

To prepare for your restoration, please download and complete the appropriate checklists for UKG Workforce Central, Telestaff, HR/Payroll, and Banking Solutions/FMSI – all of which can be accessed at https://www.ukg.com/KPCupdates/kpc-faq. You must have a UKG Kronos Community log-in to access these checklists. If you are an affected customer and do not have access to the Kronos Community, you can register HERE.

Thank you again for your continued patience as we work to restore your system.


Status Update as of Jan 4, 2022

Dear Kronos Private Cloud Customers –

Our KPC recovery process continues to progress.

Earlier this evening (Eastern Time on January 4), impacted customers should have received an email from your organization's dedicated UKG recovery liaison. As we enter this new phase of recovery, your liaison will be available to provide visibility into the process and share updated information.

As we move through the recovery process, there are two main phases, each with two key milestones:

System Recovery:
  • Server Recovery: Safely recovering your servers
  • Database Recovery: Doing a health check on your database(s)
Application Recovery:
  • Application Readiness: Validating that your integrations, user interface, and data collection (if applicable) are working as expected
  • Customer Validation and Reconciliation: Giving you access to your system so that you can validate your data and complete a checklist of reconciliation activities

Your designated recovery liaison will update you on the status of your system recovery by end of day, January 7th.

Additionally, we now have a Banking Solutions/FMSI Recovery Guide and Readiness Checklist available HERE. You must have a UKG Kronos Community log-in to access this checklist. If you are an affected customer and do not have access to the Kronos Community, you can register HERE.

All checklists for UKG Workforce Central, Telestaff, HR/Payroll, and Banking Solutions/FMSI customers can be accessed at https://www.ukg.com/KPCupdates/kpc-faq

As always, we appreciate your continued patience as we work to safely and securely restore systems.


Status Update as of Jan 3, 2022

Dear Kronos Private Cloud Customers –

This week marks an important point in the next phase of our restoration efforts. Your organization should expect a dedicated UKG Recovery Liaison to reach out to you between January 4 and January 7 to discuss the restoration process.

An email was sent yesterday (Sunday, January 2) to several key contacts at your organization with a link to submit two designated recovery contacts for your organization. If your organization has not already submitted your contacts or did not previously receive this email, please click HERE to access the form and submit your designated recovery contacts by end of day tomorrow (January 4). You will need to provide your UKG/Kronos Solution ID# (SID) on the form.

Please coordinate with the other stakeholders at your organization to ensure you are only submitting one form on behalf of your organization.

We appreciate your continued patience as we work to restore our systems as quickly and securely as possible.


Status Update as of January 2, 2022 

Dear Kronos Private Cloud Customers –

Earlier today (Sunday, January 2), we sent an email to several key contacts at your organization to request that they designate KPC Recovery Contacts to work with on your restoration. The email with link to submit your designated recovery contacts was sent to the key contacts we have on record in our CRM system as Change Approvers, Network/Contacts, and/or Emergency Contacts.

Once your organization has submitted your designated two recovery contacts, a dedicated UKG Recovery Liaison will reach out to your designated contacts between January 3 and January 7 to discuss the restoration process.

Also as a reminder, if you have not already done so, in order to prepare for the restoration, please make sure you have downloaded the Workforce Central Restoration Checklist from the Kronos Private Cloud | Resource Center on the Kronos Community here and begin completing it, so that when we are ready to bring you back online, you are prepared. 

  • In addition to the Workforce Central Restoration checklist above, we now also have checklists available for our impacted HR/Payroll customers and Telestaff customers:

We appreciate your continued patience as we work to restore our systems as quickly and securely as possible.


Status Update as of January 1, 2022 

Dear Kronos Private Cloud Customers –

Happy New Year! As we head into the new year, just a reminder that we are also moving to the next phase of our restoration process. We will contact you via email on Sunday, January 2, with instructions to provide key contacts within your organization to assist with the recovery process.

As we head into this next phase, we again want to take this opportunity to highlight a few key points and how you can prepare:

  1. We have a Workforce Central Restoration Checklist . We ask that you begin completing it, so that when we are ready to bring you back online, you are prepared. You must have a UKG Kronos Community log-in to access this checklist. If you are an affected customer and do not have access to the Kronos Community, you can register here. This is just a reminder – if you have already completed this document, it has not changed since we originally sent it on December 30th.
  2. In addition to the Workforce Central Restoration checklist above, we now have two new checklists available for our impacted HR/Payroll customers and Telestaff customers:
    1. Checklist for KPC HR/Payroll Customers. You must have a UKG Kronos Community log-in to access this checklist. If you are an affected customer and do not have access to the Kronos Community, you can register here.
    2. Checklist for Telestaff Customers. You must have a UKG Kronos Community log-in to access this checklist. If you are an affected customer and do not have access to the Kronos Community, you can register here.
  3. For your reference, we also have made available a webinar summarizing the restoration process and timeline. If you have not yet had a chance, we encourage you to watch by visiting Kronos Private Cloud | Resource Center in the Kronos Community. You must have a UKG Kronos Community log-in to access the Resource Center above. If you are an affected customer and do not have access to the Kronos Community, you can register here.

We will be in touch tomorrow with more details.


Status Update as of December 31, 2021 

Dear Kronos Private Cloud Customers –

Yesterday, you should have received an email and video from us on the next phase of the restoration process. Before everyone heads out for the holiday weekend, there are a few details we would like to highlight on our restoration efforts and what you can do to prepare:

  • First, we have prepared a video summarizing the restoration process and timeline. If you have not yet had a chance, we encourage you to watch by visiting Kronos Private Cloud | Resource Center in the Kronos Community. You must have a UKG Kronos Community log-in to access the Resource Center above. If you are an affected customer and do not have access to the Kronos Community, you can register here.
  • Next, there are several steps you can take to prepare for your restoration. Please make sure you have downloaded the  Workforce Central Restoration Checklist that we emailed to you yesterday (Thursday, December 30) and begin completing it. If you already downloaded it from yesterday’s email, this is just a reminder (the document has not changed). You must have a UKG Kronos Community log-in to access this checklist. If you are an affected customer and do not have access to the Kronos Community, you can register here.
  • In addition to the Workforce Central Restoration checklist above, we now have two new checklists available for our impacted HR/Payroll customers and Telestaff customers:
  • We will contact you via email on Sunday, January 2, with instructions to provide key contacts within your organization to assist with the recovery process.
  • Finally, as a reminder, starting next week, we will begin reaching out directly to your organization about your individual restoration process. You should expect to hear from us between January 3 – January 7th.

We understand the challenges this situation has presented for you and are incredibly grateful for your continued patience. We wish you all a very happy new year.


Status Update as of December 30, 2021 

Highlights:

  • Pilot program successful. We are now working on restoration of customers in parallel, which will begin in phases during the week of January 3 and be complete by January 28.
  • Restoration will include the capabilities that are required to schedule employees, track time and attendance, and process payroll.
  • You will receive more information about your individual restoration process and timing during the week of January 3.
  • A webinar summarizing this information is available on the Kronos Private Cloud | Resource Center in the Kronos Community
  • You must have a UKG Kronos Community log-in to access the Resource Center above. If you are an affected customer and do not have access to the Kronos Community, you can register here.

Dear Kronos Private Cloud Customers –

Our pilot program for testing out the restoration process was successful and we have been able to identify areas where we can automate processes to bring larger groups of customers back online more efficiently and securely.

We are now beginning the restoration of customers in a parallel fashion. Below is information on what we are doing to prepare for full restoration, set expectations for when you will be brought back online, and what you can be doing to prepare.

What UKG is Doing to Prepare for Full Restoration

  • You will receive more information about your organization’s restoration process between January 3 – January 7.
  • Phase 1: We are currently running customer environments through a validation and scanning process to check your databases for corruption, malware, or any other issues (such as older versions of software and custom configurations) that might impact your recovery timeline. Validating and scanning our customers’ systems are automated processes that we have developed based on the results of our pilot program, and it will take several more days for all environments to be completed.
  • In parallel to Phase 1, we are implementing additional hardening measures to the Kronos Private Cloud including patching it for Log4j and other potential vulnerabilities, rotating and resetting all passwords, and several other hardening measures.
  • Phase 2: Once Phase 1 is complete, you will be notified and moved into the next phase of our restoration process which involves restarting your organization’s environment and then validating that your system is ready for production.

Restoration Timing

  • The speed at which we can move you through the phases of recovery will be based on the technical state in which we find your environment after the automated scans, as well as the complexities and configuration of your environment. If you have no database issue, are on a recent version of the software, and have limited customizations within your environment, we can move more quickly in restoring your solution.
  • Between January 3 and January 7, we can give you a better sense of your own individual restoration timeline. You do not need to log a case or check in with anyone to find out if we know the specific date for your restoration yet, because we will proactively reach out to you as soon as we know.
  • We have organized our teams to bring as many customers live as possible. In light of the global pandemic, we have specialist teams dedicated to healthcare, first responders, and customers who rely on UKG for payroll processing. These teams are in addition to separate teams that are simultaneously working on other customer groups in parallel.

What You Can Do to Prepare

  • There is some work required on your end to prepare for the phases of restoration. Please download the Workforce Central Restoration Checklist from the Kronos Private Cloud | Resource Center on the Kronos Community here and begin completing it, so that when we are ready to bring you back online, you are prepared. We will be sending a checklist for HR/payroll, Telestaff, and Banking Solutions/FMSI to customers who use those solutions in the next few days.
  • You must have a UKG Kronos Community log-in to access the Resource Center above. If you are an affected customer and do not have access to the Kronos Community, you can register here.
  • Additionally, once you’ve regained access to your system, you will want to complete certain activities such as rescheduling events, data validation, and reconciliation – in other words, inputting data that you have been tracking via workarounds back into your solution. We will be providing job aids and documentation to support this process.

We are extraordinarily grateful for your patience throughout this process, and we understand how stressful and challenging this has been for you. We are doing everything in our power to bring you back online as quickly as possible – but are prioritizing safety and security to ensure this incident has no further impact on your solutions.


Status Update as of December 29, 2021 

As part of our continued commitment to providing frequent and transparent communications with you, below is the daily update for December 29, 2021:

  • We continue to make substantial progress on our recovery phase. Based on the results of our initial pilot program, we have now developed a more detailed customer restoration process to bring customers back online in a safe and secure fashion. Customers should expect to receive an outline on the next steps for this process by the end of the day this Friday, December 31.
  • We will also be providing an initial restoration checklist to all customers within the next 72 hours. This will help you take the necessary steps on your end to prepare for the restoration process.
  • As a reminder, we now have a dedicated inbox for any additional questions about the cybersecurity incident. Please route all related questions to [email protected] and our dedicated team will work to address your inquiry as quickly as possible.

As we learn more, we will continue to be transparent and provide updates. Thank you for your continued patience and understanding. We continue to work around the clock to move into this next phase of recovery and bring your systems back online safely and securely.


Status Update as of December 28, 2021 

We understand the importance of receiving updates during this time, and we are committed to providing frequent and transparent communications with you. Below is the daily update for December 28, 2021:

  • We are making good progress and have completed the validation of the process we will use to restore our customers’ production and back-up databases safely. We have further developed the automation of our restoration process and are further hardening our infrastructure to support the automation.
  • We have completed the validation of a number of pilot customers in the Kronos Private Cloud and have reached out to those pilot customers to begin the process of giving them access to their environments. This pilot program is the first step in our overall effort to bring all of our customers back online.
  • Once the pilot program is complete this week and we have restored the pilot customers end-to-end access to their systems, we will have a better idea as to the pace of the recovery for other customers. The Kronos Private Cloud houses thousands of customers and each customer's environment needs to be addressed individually, so we still expect this process to take several weeks. We will have a better sense of that timeline after the pilot is complete this week.
  • We are working on a restoration checklist for you for the UKG applications you use — Workforce Management (time and scheduling), HR/Payroll, and Police and Fire Scheduling — to help you prepare for the restoration. The checklist will be shared with you prior to your restoration.
  • UKG has several options for temporarily collecting time, downloading punches from clocks, and managing schedules, in addition to several partner solutions that are available at no charge to impacted customers. To read more about the available interim solutions visit: https://www.ukg.com/KPCupdates/kpc-faq#interim
  • We have posted information on a  new no-charge interim solution for Telestaff, from one of our partners, HRTM Consulting. It is an Excel-based rostering tool that is available now by emailing [email protected].
  • Regarding data exfiltration - our investigation is still ongoing and we are working diligently with cybersecurity experts to determine whether and to what extent sensitive customer or employee data has been compromised.  As is typical in ransomware incidents, it may take several more weeks or more to fully determine whether a specific customer's sensitive data (and what kind of data) may have been compromised. If  we learn that sensitive customer business data and/or employee data (PII) was exposed because of this attack, we will meet any obligations we have to inform affected customers and take appropriate steps to protect affected individuals.

We will continue to be transparent and provide updates as we make additional progress. Thank you for your continued patience and understanding. We will continue to work around the clock to answer your questions and restore your systems as quickly and safely as possible.


Status Update as of December 27, 2021

We understand the importance of receiving updates during this time, and we are committed to providing frequent and transparent communications with you. Below are the updates for December 27, 2021:

  • We have added a new instructional video to the Kronos Private Cloud Resource Center in the UKG Kronos Community for impacted customers demonstrating how to use the Excel Timesheet Punch Aggregator tool, which is an interim workaround for customers to consolidate punch files and better visualize how many hours each employee worked. It also provides a means to store manually-added punch data for later integration back into UKG Workforce Central.
    • To read more about the Excel Timesheet Punch Aggregator, click here.
    • If you would like access to the Excel Timesheet Punch Aggregator contact UKG Customer Support.
    • If you already have the Excel Timesheet Punch Aggregator and want to watch the video to help you use this tool, visit the Kronos Private Cloud | Resource Center .
    • You must have a UKG Kronos Community log-in to access the Resource Center above. If you are an affected customer and do not have access to the Kronos Community, you can register here.
  • Today we have also introduced a new way for customers to ask questions related to the Kronos Private Cloud ransomware incident. If you have general questions about the cybersecurity incident, please reach out to [email protected] and an incident response team member will be in touch as quickly as possible.
  • If you have questions specific to your own organization’s environment or data, please continue to submit those to UKG Customer Support by creating a case in the UKG Kronos Community.
    You can also continue to access our regular updates at https://www.ukg.com/KPCupdates where you can subscribe to receive updates to your inbox. This resource includes a list of frequently asked questions, which we are continuously updating.
  • We continue to work alongside third-party experts in our remediation and restoration process. Thank you for your patience and understanding as we work together to restore service as quickly and safely as possible.

Status Update as of December 26, 2021

We understand the importance of receiving updates during this time, and we are committed to providing frequent and transparent communications with you. Our restoration and remediation work continues to progress as quickly and safely as possible. Below are the updates for December 26, 2021:

  • We have made significant progress and were able to restore our foundational "core services" layer. We now have access to all back-up data and all production environments.
  • We have begun to validate the integrity of our customers' production and back-up databases.
  • We have begun a pilot to test bringing back customer systems. This pilot program will provide visibility to our end-to-end processes and help us identify the potential exceptions that will occur.
  • As we bring these initial systems back, we will have a better idea as to the pace of the recovery for all other systems. The Kronos Private Cloud houses thousands of customers and each customer's environment needs to be addressed individually. We will not have visibility to the pace of how soon we can bring customers back online until we do the required work during this upcoming week.

Kronos Private Cloud Daily Update – December 25, 2021

We understand receiving updates during this time is important, and we are committed to transparent communication with you. Our restoration and remediation work continues to progress as quickly and safely as possible.

To date, we have created two videos to help affected customers use the interim solutions from UKG, including the Excel Scheduling Solution and the Quick Timestamp Offline Mode (QTSO).

Thank you for your continued patience and understanding throughout this incident.

We hope you are getting time to spend with your families and friends this holiday – and want to assure you that our team dedicated to the UKG Kronos Public Cloud cybersecurity incident is working diligently every day, around the clock to remediate the situation.


Kronos Private Cloud Daily Update – December 24, 2021; 8:00 p.m. EST

We understand receiving updates during this time is important, and we are committed to transparent communication with you. Our restoration and remediation work continues to progress as quickly and safely as possible.

Today we have a few updated FAQs available on our website:

  • The availability of our new interim On-Premise Clock Punch Server option to help impacted Workforce Central customers collect punches from clocks and store them in CSV format while UKG Workforce Central is unavailable. (Read more here and contact UKG Customer Support to request this new tool.)
  • Information on a new no-charge interim solution for Telestaff, from one of our partners, HRTM Consulting. It is an Excel-based rostering tool that is available now by emailing [email protected].
  • New contact information for customers using CloudApper RightPunch as well as those using Asher Group to get support with those solutions.

Thank you for your continued patience and understanding throughout this incident.

We hope you are getting time to spend with your families and friends this holiday – and want to assure you that our team dedicated to the UKG Kronos Public Cloud cybersecurity incident is working diligently every day, around the clock to remediate the situation. If you need assistance, please don’t hesitate to reach out to your UKG Account Team or customer support.


Kronos Private Cloud Daily Update – December 23, 2021; 8:00 p.m. EST

UKG is now providing our impacted customers a daily email with an update on progress of our Kronos Private Cloud restoration. The update below is current as of December 23, 2021 at 8PM ET.

This same update was also reviewed during our Webinar on December 23, 2021, which will be repeated again on Friday December 24 at 7am EST, 10am EST and 1pm EST for customers who were unable to watch today.

Today's update includes the following sections:

  • Progress of Remediation and Restoration
  • Restoration Timeline
  • Interim Solutions
  • Log4j Update
  • Protecting Against Future Attacks/Hardening the Kronos Private Cloud
  • Hardening UKG's Other Environments and Products not in Kronos Private Cloud (including UKG Pro, UKG Ready, UKG Dimensions, and UKG HR Service Delivery)

Progress of Remediation and Restoration

UKG has dedicated extensive resources working around the clock to bring all affected customers back online in a safe and secure manner. The threat actor encrypted both our production environments and our warm stand-by disaster recovery environments, and disabled the communication layer to our back-up databases — so the recovery process is taking place in phases.

Progress as of December 23, 2021:

  • We have made significant progress and are now in the process of restoring our foundational "core services" layer.
  • We have regained access to back-up data- meaning that if we cannot restore customer data from the production environment, we can restore it from a point prior to the attack on December 11, 2021 (likely through Friday, December 10, 2021).
  • At the same time, we are also working to restore the production data. In line with best practices, we are being very thorough in scrubbing the production data and back-ups to make sure they are clean and do not contain malware.

Recovery and Restoration Timeline

  • In the coming days, we will complete the restoration of our core services layer, begin to check our customers' production and back-up databases for corruption and/or malware, and prepare to test the processes for bringing customers back online.
  • During the week of December 27, we will run a pilot and bring back some — less than five — customer systems. This will provide visibility to our end-to-end processes and help us identify the potential exceptions that will occur.
  • As we bring these initial systems online, we will have a better idea as to the pace of the recovery for all other systems. The Kronos Private Cloud houses approximately 2,000 customers and each customer's environment needs to be addressed individually. We will not have visibility to the pace of recovery, and when we can bring customers back online, until we do the required work during the week of December 27.
  • We are also working on a restoration checklist for the various application — Workforce Management (time and scheduling), HR/Payroll, and Police and Fire Scheduling — to help you prepare for the restoration. The focus of the checklist is to help customers reconcile what employees have been paid against actual amounts due once the system is restored and customer-specific pay rules are applied. The checklist is targeted at capturing the manual workarounds that you have put in place.

Interim Solutions

UKG has several options for temporarily collecting time, downloading punches from clocks, and managing schedules, in addition to several partner solutions that are available at no charge to impacted customers. To read more about the available interim solutions visit: https://www.ukg.com/KPCupdates/kpc-faq#interim

Customer Data Impact Status

Our investigation is ongoing, and we are working diligently with cybersecurity experts to determine whether and to what extent customer or employee data has been compromised.  As is typical in ransomware incidents, it may take several weeks (or even months) to fully determine whether a specific customer's data (and what kind of data) may have been compromised.

If we learn that sensitive customer business data and/or employee data was exposed because of this attack, we will meet any obligations we have to inform affected customers and take appropriate steps to protect affected individuals.

Log4j Update

While we certainly examined the possibility, we have found no evidence at this time to indicate that this incident is related to known Log4j vulnerabilities.

Unrelated to this incident, we are pursuing continuous remediation of Log4j across all our systems in line with the latest guidance. UKG has applied patches including CVE-2021-44228, CVE-2021-45046, and is now working through the most recently identified vulnerability CVE-2021045105 across all our products that are not on the Kronos Private Cloud. Once the Kronos Private Cloud is restored, we will remediate that environment up to all known vulnerabilities before we bring the environment back online.

As always, we encourage all our customers to be on the latest version of our software. We are also looking at the patching programs of our vendors. We are staying current with the latest information and recommendations, and we will apply additional updates as they become available.

Protecting Against Future Attacks/Hardening the Kronos Private Cloud

The security and privacy of your information is of the utmost importance to us and we are taking measures to protect against this type of incident in the future. Leading privacy and security firms Mandiant and West Monroe are working in parallel to test and continually harden our environment.

Prior to restoring customer access to the Kronos Private Cloud environment, we will deploy several additional steps to further harden the Kronos Private Cloud environment against future attacks.

Some examples of the additional measures we are implementing include:

  • We will be expanding the scanning and monitoring program of these environments using current insights from this on-going investigation.
  • We will be supplementing our SOC monitoring with additional third-party managed service monitoring.
  • We will be further expanding the deployment of additional specific monitoring agents across the environment.
  • We will be further expanding cold storage backups.

Hardening UKG's Other Environments and Products not in Kronos Private Cloud (including UKG Pro, UKG Ready, UKG Dimensions, and UKG HR Service Delivery)

First, it's important to understand that the Kronos Private Cloud is a completely separate environment from the cloud environments where our other solutions such as UKG Pro, Ready, Dimensions, and HR Service Delivery run. Kronos Private Cloud is architected and delivered differently from our other cloud environments.

UKG Pro, UKG Dimensions, UKG Ready, and UKG HR Service Delivery are pure SaaS and multi-tenant. Those offerings are delivered in different Data Centers and Clouds, and are built, supported, secured, and operated differently from the Kronos Private Cloud solutions.

Even though we have no evidence that any systems outside of Kronos Private Cloud have been impacted, we have already taken several additional steps to further harden the environments of our other non-Kronos Private Cloud products (such as Pro, Dimensions, Ready, and HR Service Delivery):

Some examples of these additional measures include:

  • We are expanding the scanning and monitoring program of these environments using current insights from this on-going investigation.
  • We are supplementing our SOC monitoring with additional third-party managed service monitoring.
  • We will be further expanding the deployment of additional specific monitoring agents across the environment.
  • We will be further expanding cold storage backups.

New Questions & Answers for Impacted and Non-Impacted Customers as of 12/17/2021 at 2:30pm ET

NOTE: For convenience in having all current answers in one place, the newest questions in this Q&A are at the top of this post in italics, followed by a complete list of previously answered questions right below the new questions. Previously answered questions are not in italics.
 
If the customer has other UKG products (like UKG Workforce Central on-premise, UKG Dimensions, or UKG Ready), can they redirect their clocks that are usually connected to UKG Workforce Central SaaS to their other UKG solution? If yes, does location (e.g., country of deployment) matter?
There are some circumstances where this may be possible. Customers should talk to their ERM or customer support rep, or submit a support case to determine if this is an option. If the customer has employees and time clocks in multiple countries, this may not be possible due to different pay rules in different countries.
 
Can affected customers utilize a UKG mobile app, like the Workforce Central SaaS mobile application, to capture time punches?
The Workforce Central SaaS mobile application is not an option at this time because it would be unable to connect with the Kronos Private Cloud. Similarly, because UKG mobile applications are associated with specific products, a customer cannot utilize a non-Workforce Central mobile app to capture time and attendance. UKG strongly recommends customers consider manual time collection efforts to ensure accurate collection of employee time in the interim. To support customers with manual time collection, UKG has created a standard electronic (Excel-based) template, available via Knowledge Base article 000158002. UKG continues to explore other potential options and we are working to provide recommendations specific to each customer's product and clock model soon.
 
Can UKG create a like-for-like restore or would UKG consider building a completely different environment for a customer?
Due to the complexities of each customer’s business rules and needs, we believe at this time the faster solution will be to do a system restore versus a new implementation for each customer.
 
Should the UKG mobile app be uninstalled by affected customers’ end-users (employees) from their mobile device?
At present, UKG has no reason to believe that the presence of the UKG mobile application for Workforce Central SaaS poses a risk to end-user devices.
 
Have Kronos solutions outside the U.S. been affected?
Yes, UKG Workforce Central SaaS, UKG Telestaff, Healthcare Extensions, and UKG Scheduling/Workforce Management for Banks (formerly called FMSI/Kronos for Banking Solutions) deployed in the Kronos Private Cloud are impacted regardless of country.
 
Is there a KPC incident resource hub on Kronos Community?
Yes. The KPC incident resource hub (https://community.kronos.com/s/kpc?language=en_US) on the Kronos Community helps to consolidate relevant Knowledge Base articles and discussion threads. Please note that you must have a Kronos Community log-in to access this page.
 
Previously Answered Questions posted on 12/16/2021:
 
General Questions

What is the nature of the current incident affecting UKG solution availability? 
UKG is currently mitigating the impact of a ransomware incident affecting a small subset of UKG solutions. It is limited to those instances that are hosted in the Kronos Private Cloud (KPC). UKG has engaged with leading cybersecurity experts, notified the authorities, and is proactively communicating with impacted customers. We recognize the seriousness of this issue and are committed to supporting our customers as we work to a resolution.  

How does a UKG customer know if they have been impacted? Which solutions are impacted and which solutions are not impacted?  
Based on our ongoing investigation, this incident appears limited only to the following hosted solutions in the Kronos Private Cloud. These solutions include: 
  • UKG Workforce Central 
  • UKG TeleStaff 
  • Healthcare Extensions 
  • UKG Scheduling/Workforce Management for Banks (formerly called FMSI/Kronos for Banking Solutions)

At this time, we believe that instances of these solutions deployed in on-premise/self-hosted environments are not affected.   

We recognize customers often deploy a combination of UKG solutions, such as UKG Dimensions with TeleStaff, etc. It is important to note that, in these deployments, the portion of the solution deployed in Kronos Private Cloud will not be available.  

At this time, we do not believe that other UKG solutions are affected. This includes UKG Pro, UKG Dimensions, UKG Ready, UKG HR Service Delivery, and other solutions that are not hosted in Kronos Private Cloud.  

When did UKG first learn about this incident and when did UKG inform customers?  
Late on Saturday evening, December 11, 2021, we became aware of issues impacting the availability of UKG solutions using Kronos Private Cloud, specifically, Workforce Central, Telestaff, Healthcare Extensions, and UKG Scheduling/Workforce Management for Banks (formerly called FMSI/Kronos for Banking Solutions).    

UKG took immediate action to investigate and mitigate the issues. We have proactively communicated with our impacted customers and will continue to provide updates as we work to a resolution.  

What is UKG doing to address and resolve the issue? 
UKG is actively working to mitigate and resolve the issue by utilizing extensive resources, including engaging leading external cybersecurity experts. We have also notified the authorities.  

While that work is ongoing, we are prioritizing supporting our impacted customers. Given that it may take up to several weeks to fully restore system availability, customers will likely need to activate their own business continuity plans and use a variety of manual or semi-automated actions and workarounds to ensure employee time is accurately captured, schedules are created, and payrolls can be processed.

Has any data been compromised as a result of this incident? 
Our investigation is ongoing, and we are working diligently to determine whether customer data has been compromised. We will keep you updated as new information becomes available.

When do you expect this issue to be resolved? 
Due to the nature of the incident, it may take up to several weeks to fully restore system availability. While UKG has dedicated extensive resources to resolving this issue and supporting our impacted customers, we do not have an estimated time of resolution. As a result, UKG continues to strongly recommend our customers work with their leadership to activate their business continuity plans.

Why can’t UKG utilize its back-up or redundant systems?  
UKG employs a variety of redundant systems and disaster recovery protocols. However, due to the malicious nature of this incident, we are continuing to investigate whether there has been any impact on the Kronos Private Cloud back-up systems before determining the best approach to safely and securely handle restoration of the affected services. As a result, Kronos Private Cloud back-ups are currently unavailable.  

How do impacted customers open a case file for additional support?
Impacted customers can open a case in the UKG Kronos Community by visiting community.kronos.com. Non-impacted customers can continue to find the latest updates at www.ukg.com/KPCupdates. 

I am a new customer implementing a non-impacted solution. Will my implementation be affected? 
If you have concerns about your implementation schedule or timeline, please talk to your project team.  
 

Customer Communications, KPC Updates Site, and Community

How can customer(s) receive status updates?
We encourage customers to regularly visit  UKG.com/KPCupdates for ongoing information. This site will be updated daily.

You have the option of subscribing to receive new post notifications to your inbox from ukg.com/KPCupdates

Subscribing is easy. Just follow these steps:
  • Go to ukg.com/KPCupdates and click the “subscribe to email” button
  • Follow the on-screen instructions to enter your email address
  • Check the box to agree to receive email and then click “subscribe”
  • Be sure to check for a confirmation email in your inbox and click on the link to confirm your subscription. You must complete this step in order to begin receiving emails. The confirmation sender is: [email protected] If you don’t receive a confirmation email, please check your spam folder.
Is it safe for UKG customers to open emails from UKG email addresses?
At this time, we have no indication that our corporate network has been compromised or that there has been any email compromise in connection to the incident.

Was the Kronos Community Salesforce platform outage related to the ransomware incident?
At this time, it appears the December 14 services issues are not directly tied to the KPC incident. Salesforce noticed an unusually high volume of traffic to our Kronos Community Salesforce URL and as a proactive measure, shut down services. After discussing the situation, Salesforce restored our services. We are continuing to investigate all the details of the outage.
 
Timeclocks, Storing Punches, and Suggested Alternatives 

Does UKG have concerns that the timeclocks for UKG Workforce Central have any potential security issues?
While our review of this matter is ongoing, at this time we have seen no evidence that this incident has impacted our customer timeclocks. As is always the case, we encourage customers to follow best practices when using a device. That includes promptly installing any patches or updating software when asked to do so, and network segmentation. If you have a question or concern that arises, please contact Support.

How can impacted customers capture employee time and attendance during this period? 
In most instances, UKG timeclocks will record and store employee punches offline until connectivity can be restored. We are working on a recommendation for customers who may have a limitation on their timeclock storage. However, UKG strongly recommends customers consider manual time collection efforts to ensure accurate collection of employee time in the interim. To support customers with manual time collection, UKG has created a standard electronic (Excel-based) template, available via Knowledge Base article 000158002. UKG continues to explore other potential options and we are working to provide recommendations specific to the customer's product and clock model soon.  

Can UKG timeclocks take and store punches locally? 
InTouch DX, InTouch 9100, InTouch 9000, and 4500 timeclocks are designed to store punches while the clock is offline and unable to reach the WDM server. This includes Attestation Tool Kit offline forms that were previously downloaded to the clock prior to the incident. We are exploring options to provide a method to offload and preserve that data.

How long will punches be stored on UKG timeclocks when a server is offline? 
InTouch DX, InTouch 9100, InTouch 9000, and 4500 timeclocks will store punches until their memory is full. When this occurs, the clock will display a message indicating the database is full and punches will no longer be collected. The time it takes to fill up the clock’s database with punches will vary based on your clock model and number, the volume of punches, the clock configuration, number of employees, and employee data that is configured on the clock. In general, InTouch DX and InTouch 9100 timeclocks can store approximately 100,000 punches, while InTouch 9000 and Kronos 4500 timeclocks can store approximately 10,000 punches.  

How can a customer determine how many punches are collected on their timeclock?
A person who has access to the timeclock’s “maintenance mode” setting can navigate to “reports” then “database” to view the number of uncollected punches (and ‘offline smart views’ for offline Attestation punches.) Please note that the Kronos 4500 report shows punches as ‘uncollected FIFOs’ for both simple punches and offline Attestation punches.

Can impacted customers manually collect punch data from their timeclocks? 
At present, timeclocks must have Workforce Central connectivity to collect time punch data. We are exploring options to provide a method to offload and preserve that data. In the meantime, we recommend customers consider using alternative manual methods for employees to accurately record their time worked.
 
Additional Remediation and Recovery  

Can impacted Workforce Central customers install an on-premise instance of Workforce Central, allowing them to receive employee information, punches, etc.?
Because we cannot currently access the customer’s existing environment to replicate it, this approach would require a completely new implementation.

Can impacted Workforce Central customers switch to or quickly stand up an instance of UKG Dimensions?
Because we cannot currently access the customer’s existing environment to replicate it, this approach would require a completely new implementation.

How can impacted customers process payroll during this period? 
To start, we strongly recommend that impacted customers work with their leaders to evaluate and implement alternative business continuity protocols related to the affected UKG solutions. Customers may be able to utilize previously downloaded data to create a new payroll with a prior pay period’s data. This process may include re-posting the customer's last ACH File, using positive pay file to issue checks from Accounts Payable, or using data from GL System or GL Export file to recreate the customer's last payroll.   

While these actions would mirror the prior payroll cycle and not the current payroll cycle, upon restoration of service, our teams would then work with the customer to reconcile the difference. If UKG is not the customer's payroll provider, we suggest working with that payroll provider to explore similar options.   

Is UKG able to provide a customer with copies of historical payroll reports or files generated prior to December 11, 2021?
As we continue to investigate and mitigate the issue, we are not able to access any customer data, including copies of reports or files at this time.

Is there any way to obtain historical payroll data? 
We do not presently have an estimated time for restoration of access to historical data, but we are continuing to take all appropriate actions to remediate the situation.   
 
Incident Background 

Who is leading the investigation? 
UKG has engaged leading external cybersecurity and other experts to assess and resolve the matter. We also have multiple internal teams engaged to support our response and remediate the situation.  

Who or what organization is responsible for this ransomware incident? 
Based on the status of our ongoing investigation, we are unable to provide further details.   

Precisely what information was accessed or exposed? 
Our investigation is ongoing and we are working diligently to determine if customer data has been compromised.

Can this ransomware incident extend from the Kronos Private Cloud to customer IT infrastructure and systems? 
We have not seen any evidence of this to date.  

Was UKG the only company targeted by the cyber-attacker? Were other companies involved? 
Given the ongoing investigation, we will not speculate on additional impact outside of our organization.  

Is this related to the Log4j vulnerability that was recently discovered? 
Log4j is a Java-based logging tool that is directly embedded in popular software applications across many industries. As soon as the Log4j vulnerability was recently publicly reported, we initiated rapid patching processes across UKG and our subsidiaries, as well as active monitoring of our software supply chain for any advisories of third-party software that may be impacted by this vulnerability. We are currently investigating whether or not there is any relationship between the recent Kronos Private Cloud security incident and the Log4j vulnerability.  
 

 


Update for Impacted Customers – December 16, 2021; 3:30 p.m. EST

We understand receiving timely updates about our ongoing response is important, and we are committed to communicating with impacted customers as transparently as possible.

We wanted to inform you that UKG recently created a KPC incident resource hub on the Kronos Community. This resource hub is located at https://community.kronos.com/s/kpc?language=en_US and consolidates relevant Knowledgebase articles and discussion threads/groups.

Note that you must have a Kronos Community log-in to access this page. Please login (https://community.kronos.com/s/login/?language=en_US) or register (https://community.kronos.com/AppsCommunityRegistrationpage) to access the KPS Resource Center in the UKG Kronos Community.

 


Frequently Asked Questions – December 16, 2021; 12pm EST

We are providing an updated Q&A for impacted customers, which includes new questions and updates to questions previously posted on December 15
 

General Questions

What is the nature of the current incident affecting UKG solution availability?  
UKG is currently mitigating the impact of a ransomware incident affecting a small subset of UKG solutions. It is limited to those instances that are hosted in the Kronos Private Cloud (KPC). UKG has engaged with leading cybersecurity experts, notified the authorities, and is proactively communicating with impacted customers. We recognize the seriousness of this issue and are committed to supporting our customers as we work to a resolution. 

How does a UKG customer know if they have been impacted? Which solutions are impacted and which solutions are not impacted?  
Based on our ongoing investigation, this incident appears limited only to the following hosted solutions in the Kronos Private Cloud. These solutions include: 
  • UKG Workforce Central 
  • UKG TeleStaff 
  • Healthcare Extensions 
  • UKG Scheduling/Workforce Management for Banks (formerly called FMSI/Kronos for Banking Solutions)

At this time, we believe that instances of these solutions deployed in on-premise/self-hosted environments are not affected.  

We recognize customers often deploy a combination of UKG solutions, such as UKG Dimensions with TeleStaff, etc. It is important to note that, in these deployments, the portion of the solution deployed in Kronos Private Cloud will not be available. 

At this time, we do not believe that other UKG solutions are affected. This includes UKG Pro, UKG Dimensions, UKG Ready, UKG HR Service Delivery, and other solutions that are not hosted in Kronos Private Cloud. 

When did UKG first learn about this incident and when did UKG inform customers? 
Late on Saturday evening, December 11, 2021, we became aware of issues impacting the availability of UKG solutions using Kronos Private Cloud, specifically, Workforce Central, Telestaff, Healthcare Extensions, and UKG Scheduling/Workforce Management for Banks (formerly called FMSI/Kronos for Banking Solutions).   

UKG took immediate action to investigate and mitigate the issues. We have proactively communicated with our impacted customers and will continue to provide updates as we work to a resolution.  

What is UKG doing to address and resolve the issue? 
UKG is actively working to mitigate and resolve the issue by utilizing extensive resources, including engaging leading external cybersecurity experts. We have also notified the authorities.  

While that work is ongoing, we are prioritizing supporting our impacted customers. Given that it may take up to several weeks to fully restore system availability, customers will likely need to activate their own business continuity plans and use a variety of manual or semi-automated actions and workarounds to ensure employee time is accurately captured, schedules are created, and payrolls can be processed. 

Has any data been compromised as a result of this incident? 
Our investigation is ongoing, and we are working diligently to determine whether customer data has been compromised. We will keep you updated as new information becomes available.

When do you expect this issue to be resolved? 
Due to the nature of the incident, it may take up to several weeks to fully restore system availability. While UKG has dedicated extensive resources to resolving this issue and supporting our impacted customers, we do not have an estimated time of resolution. As a result, UKG continues to strongly recommend our customers work with their leadership to activate their business continuity plans. 

Why can’t UKG utilize its back-up or redundant systems?  
UKG employs a variety of redundant systems and disaster recovery protocols. However, due to the malicious nature of this incident, we are continuing to investigate whether there has been any impact on the Kronos Private Cloud back-up systems before determining the best approach to safely and securely handle restoration of the affected services. As a result, Kronos Private Cloud back-ups are currently unavailable. 

How do impacted customers open a case file for additional support?
Impacted customers can open a case in the UKG Kronos Community by visiting community.kronos.com. Non-impacted customers can continue to find the latest updates at www.ukg.com/KPCupdates. 

I am a new customer implementing a non-impacted solution. Will my implementation be affected? 
If you have concerns about your implementation schedule or timeline, please talk to your project team.  
 

Customer Communications, KPC Updates Site, and Community

How can customer(s) receive status updates?
We encourage customers to regularly visit  UKG.com/KPCupdates for ongoing information. This site will be updated daily.

You have the option of subscribing to receive new post notifications to your inbox from ukg.com/KPCupdates

Subscribing is easy. Just follow these steps:
  • Go to ukg.com/KPCupdates and click the “subscribe to email” button
  • Follow the on-screen instructions to enter your email address
  • Check the box to agree to receive email and then click “subscribe”
  • Be sure to check for a confirmation email in your inbox and click on the link to confirm your subscription. You must complete this step in order to begin receiving emails. The confirmation sender is: [email protected] If you don’t receive a confirmation email, please check your spam folder.
Is it safe for UKG customers to open emails from UKG email addresses?
At this time, we have no indication that our corporate network has been compromised or that there has been any email compromise in connection to the incident.

Was the Kronos Community Salesforce platform outage related to the ransomware incident?
At this time, it appears the December 14 services issues are not directly tied to the KPC incident. Salesforce noticed an unusually high volume of traffic to our Kronos Community Salesforce URL and as a proactive measure, shut down services. After discussing the situation, Salesforce restored our services. We are continuing to investigate all the details of the outage.
 
Timeclocks, Storing Punches, and Suggested Alternatives 

Does UKG have concerns that the timeclocks for UKG Workforce Central have any potential security issues?
While our review of this matter is ongoing, at this time we have seen no evidence that this incident has impacted our customer timeclocks.  As is always the case, we encourage customers to follow best practices when using a device.  That includes promptly installing any patches or updating software when asked to do so, and network segmentation.  If you have a question or concern that arises, please contact Support.

How can impacted customers capture employee time and attendance during this period? 
In most instances, UKG timeclocks will record and store employee punches offline until connectivity can be restored. We are working on a recommendation for customers who may have a limitation on their timeclock storage. However, UKG strongly recommends customers consider manual time collection efforts to ensure accurate collection of employee time in the interim. To support customers with manual time collection, UKG has created a standard electronic (Excel-based) template, available via Knowledge Base article 000158002. UKG continues to explore other potential options and we are working to provide recommendations specific to the customer's product and clock model soon.  

Can UKG timeclocks take and store punches locally? 
InTouch DX, InTouch 9100, InTouch 9000, and 4500 timeclocks are designed to store punches while the clock is offline and unable to reach the WDM server. This includes Attestation Tool Kit offline forms that were previously downloaded to the clock prior to the incident. We are exploring options to provide a method to offload and preserve that data. 

How long will punches be stored on UKG timeclocks when a server is offline? 
InTouch DX, InTouch 9100, InTouch 9000, and 4500 timeclocks will store punches until their memory is full. When this occurs, the clock will display a message indicating the database is full and punches will no longer be collected. The time it takes to fill up the clock’s database with punches will vary based on your clock model and number, the volume of punches, the clock configuration, number of employees, and employee data that is configured on the clock.  In general, InTouch DX and InTouch 9100 timeclocks can store approximately 100,000 punches, while InTouch 9000 and Kronos 4500 timeclocks can store approximately 10,000 punches.  

How can a customer determine how many punches are collected on their timeclock?
A person who has access to the timeclock’s “maintenance mode” setting can navigate to “reports” then “database” to view the number of uncollected punches (and ‘offline smart views’ for offline Attestation punches.) Please note that the Kronos 4500 report shows punches as ‘uncollected FIFOs’ for both simple punches and offline Attestation punches.

Can impacted customers manually collect punch data from their timeclocks? 
At present, timeclocks must have Workforce Central connectivity to collect time punch data. We are exploring options to provide a method to offload and preserve that data. In the meantime, we recommend customers consider using alternative manual methods for employees to accurately record their time worked. 
 
Additional Remediation and Recovery  

Can impacted Workforce Central customers install an on-premise instance of Workforce Central, allowing them to receive employee information, punches, etc.?
Because we cannot currently access the customer’s existing environment to replicate it, this approach would require a completely new implementation.

Can impacted Workforce Central customers switch to or quickly stand up an instance of UKG Dimensions?
Because we cannot currently access the customer’s existing environment to replicate it, this approach would require a completely new implementation.

How can impacted customers process payroll during this period? 
To start, we strongly recommend that impacted customers work with their leaders to evaluate and implement alternative business continuity protocols related to the affected UKG solutions. Customers may be able to utilize previously downloaded data to create a new payroll with a prior pay period’s data. This process may include re-posting the customer's last ACH File, using positive pay file to issue checks from Accounts Payable, or using data from GL System or GL Export file to recreate the customer's last payroll.   

While these actions would mirror the prior payroll cycle and not the current payroll cycle, upon restoration of service, our teams would then work with the customer to reconcile the difference. If UKG is not the customer's payroll provider, we suggest working with that payroll provider to explore similar options.    

Is UKG able to provide a customer with copies of historical payroll reports or files generated prior to December 11, 2021?
As we continue to investigate and mitigate the issue, we are not able to access any customer data, including copies of reports or files at this time.

Is there any way to obtain historical payroll data? 
We do not presently have an estimated time for restoration of access to historical data, but we are continuing to take all appropriate actions to remediate the situation.  
 
Incident Background 

Who is leading the investigation? 
UKG has engaged leading external cybersecurity and other experts to assess and resolve the matter. We also have multiple internal teams engaged to support our response and remediate the situation.  

Who or what organization is responsible for this ransomware incident? 
Based on the status of our ongoing investigation, we are unable to provide further details.  

Precisely what information was accessed or exposed? 
Our investigation is ongoing and we are working diligently to determine if customer data has been compromised.  

Can this ransomware incident extend from the Kronos Private Cloud to customer IT infrastructure and systems? 
We have not seen any evidence of this to date.  

Was UKG the only company targeted by the cyber-attacker? Were other companies involved? 
Given the ongoing investigation, we will not speculate on additional impact outside of our organization.  

Is this related to the Log4j vulnerability that was recently discovered? 
Log4j is a Java-based logging tool that is directly embedded in popular software applications across many industries. As soon as the Log4j vulnerability was recently publicly reported, we initiated rapid patching processes across UKG and our subsidiaries, as well as active monitoring of our software supply chain for any advisories of third-party software that may be impacted by this vulnerability. We are currently investigating whether or not there is any relationship between the recent Kronos Private Cloud security incident and the Log4j vulnerability. 
 

 


Update for Impacted Customers – December 15, 2021; 11am EST

We’re providing an update for customers who have questions regarding time and attendance collection during this period. UKG is continuing to explore other potential options and will provide additional recommendations specific to customers’ products and clock models soon. In the meantime, if you need additional assistance, please contact Support.

How can impacted customers capture employee time and attendance during this period?
In most instances, UKG timeclocks will record and store employee punches offline until connectivity can be restored. We are working on a recommendation for customers who may have a limitation on their timeclock storage. However, UKG strongly recommends customers consider manual time collection efforts to ensure accurate collection of employee time in the interim. UKG continues to explore other potential options and we are working to provide recommendations specific to the customer's product and clock model soon.

Does UKG have concerns that the timeclocks for UKG Workforce Central have any potential security issues?
While our review of this matter is ongoing, at this time we have seen no evidence that this incident has impacted our customer timeclocks.  As is always the case, we encourage customers to follow best practices when using a device.  That includes promptly installing any patches or updating software when asked to do so, and network segmentation.  If you have a question or concern that arises, please contact Support.

Can UKG timeclocks take and store punches locally?
InTouch DX, InTouch 9100, InTouch 9000, and 4500 timeclocks are designed to store punches while the clock is offline and unable to reach the WDM server. We are exploring options to provide a method to offload and preserve that data.

How long will punches be stored on UKG timeclocks when a server is offline?
InTouch DX, InTouch 9100, InTouch 9000, and 4500 timeclocks will store punches until their memory is full. When this occurs, the clock will display a message indicating the database is full and punches will no longer be collected. The time it takes to fill up the clock’s database with punches will vary based on your clock model and number, the volume of punches, the clock configuration, number of employees, and employee data that is configured on the clock.

Can impacted customers manually collect punch data from their timeclocks?
At present, timeclocks must have Workforce Central connectivity to collect time punch data. We are exploring options to provide a method to offload and preserve that data. In the meantime, we recommend customers consider using alternative manual methods for employees to accurately record their time worked.

 


Update for Impacted Customers – December 14, 2021; 8:39 pm EST

We understand receiving timely updates about the availability of UKG Kronos Private Cloud (KPC) is important, and we are committed to communicating as transparently as possible. As such, we have launched a dedicated webpage where you can find the latest updates on this issue here: https://www.ukg.com/KPCupdates
 
We encourage our UKG customers and partners to utilize this site for additional information, as we will continue to keep it updated with all relevant communications. We will also continue to send communications directly to customers when we have new information to share pertaining to your organization.

Once again, we understand the impact this is having on you and your people, and we are working as quickly as possible to investigate and remediate the situation. If you need assistance, please contact customer support.

 


Update for Non-Impacted Customers – December 14, 2021; 8:39 pm EST

We're reaching out with an update about the recent cybersecurity incident involving UKG Kronos Private Cloud (KPC). We understand receiving these updates is important and we have launched a dedicated webpage where you can find the latest updates: https://www.ukg.com/KPCupdates
 
It is important to note that at this time, we are NOT aware of an impact to:

  • On-premise (self-hosted) UKG Workforce Central customers
  • On-premise UKG TeleStaff customers
  • UKG Pro
  • UKG Dimensions
  • UKG Ready
  • UKG HR Service Delivery (People Assist and Document Manager)
  • Any other UKG products or solutions that are housed in separate environments and not in the Kronos Private Cloud
These solutions listed above remain available.
We encourage our UKG customers and partners to utilize this site for additional information, as we will continue to keep it updated with all relevant communications. We will also continue to send communications directly to you when we have new information to share pertaining to your organization.

As always, if you have any questions about this issue, please reach out to a member of your UKG Account Team.

 


Update for Impacted Customers – December 14, 2021; 2:20 AM EST

We are reaching out with an update regarding the cybersecurity incident that has disrupted the Kronos Private Cloud. To review the communication that was sent out yesterday, December 12, 2021, visit www.ukg.com/KPCupdates. We understand you have questions—here’s what we know so far.
 
What happened?
Late on Saturday, December 11, 2021, we became aware of unauthorized activity impacting UKG solutions using Kronos Private Cloud. We took immediate action to investigate and mitigate the issue and have determined that this is a ransomware incident affecting the Kronos Private Cloud—the environment where some of our UKG Workforce Central, UKG TeleStaff, Healthcare Extensions, and Banking Scheduling Solutions are deployed.
 
At this time, we are not aware of an impact to UKG Pro, UKG Ready, UKG Dimensions, or any other UKG products or solutions, which are housed in separate environments and not in the Kronos Private Cloud.
 
Has any data been compromised as a result of this incident?
Our investigation is ongoing, and we are working diligently to determine whether customer data has been compromised. We will keep you updated as new information becomes available.
 
Why can’t UKG utilize its back-up or redundant systems?  
UKG employs a variety of redundant systems and disaster recovery protocols. However, due to the malicious nature of this incident, we are determining the best approach to safely and securely handle restoration of the affected services. As a result, Kronos Private Cloud backups are currently unavailable.  
 
How can we capture employee time and attendance during this time?  
In most instances, UKG timeclocks will record and store employee time-punches offline until connectivity can be restored. We are working on a recommendation for customers who have a limitation on timeclock storage. However, UKG strongly recommends customers engage in manual time collection efforts to ensure accurate collection of employee time in the interim.  
 
UKG continues to explore other potential options. We are working to have recommendations specific to your product and clock model soon.  
 
When can we expect this to be resolved?  
Due to the nature of the incident, it may take up to several weeks to fully restore system availability. While UKG has dedicated extensive resources to resolving this issue and supporting our impacted customers, we do not have an estimated time of resolution. As a result, UKG continues to strongly recommend our customers work with their leadership to activate their business continuity plans.
 
Is this issue related to the Log4j vulnerability?
While we currently have no indication that there is, we are investigating whether or not there is any relationship between the security incident described above and the Log4j vulnerability.
 
How can I get support during this time?  
Please open a case in the UKG Kronos Community by visiting community.kronos.com.
 
When should we expect to receive another update?  
We are committed to updating you within 24 hours or sooner if new information is available.  
 
We understand the impact this is having on you, and we are continuing to take appropriate actions to remediate the situation.

 


Update for Non-Impacted Customers – December 14, 2021; 2:20 AM EST

Dear UKG Customer,
 
As our valued customer, we want to let you know of a recent cybersecurity incident involving our company. Late on Saturday, December 11, 2021, we became aware of unauthorized activity impacting UKG solutions using Kronos Private Cloud. We took immediate action to investigate and mitigate the issue and have determined that this is a ransomware incident affecting the Kronos Private Cloud—the environment where some of our UKG Workforce Central, UKG TeleStaff, Healthcare Extensions, and Banking Scheduling Solutions are deployed.
 
It is important to note that at this time, we are not aware of an impact to:
•    On-premise (self-hosted) UKG Workforce Central customers
•    On-premise UKG TeleStaff customers
•    UKG Pro
•    UKG Dimensions
•    UKG Ready
•    UKG HR Service Delivery (People Assist and Document Manager)
•    Any other UKG products or solutions that are housed in separate environments and not in the Kronos Private Cloud
These solutions listed above remain available.
 
We are working with leading cybersecurity experts to assess and resolve the situation affecting our Kronos Private Cloud customers and have notified the authorities. We appreciate the trust you put in us, and I want to assure you we are taking all appropriate actions to mitigate the issue.
 
Log4j Update
Some of you have asked about the recent Log4j “zero day” vulnerability.  Log4j is a Java-based logging tool that is directly embedded in popular software applications across many industries. As soon as the Log4j vulnerability was recently publicly reported, we initiated rapid patching processes across UKG and our subsidiaries, as well as actively monitoring of our software supply chain for any advisories of third-party software that may be impacted by this vulnerability.
 
While we currently have no indication that there is, we are investigating whether or not there is any relationship between the security incident described above and the Log4j vulnerability.
 
If you have any questions about either of these issues, please reach out to a member of your UKG Account Team or visit your UKG Customer Community (ukg.com/support) to learn more.
 
We value our relationship and thank you for your continued support.

 


Update for Impacted Customers – December 13, 2021; 1:47 AM EST

We are reaching out to inform you of a cybersecurity incident that has disrupted the Kronos Private Cloud.

As we previously communicated, late on Saturday, December 11, 2021, we became aware of unusual activity impacting UKG solutions using Kronos Private Cloud.  We took immediate action to investigate and mitigate the issue, and have determined that this is a ransomware incident affecting the Kronos Private Cloud—the portion of our business where UKG Workforce Central, UKG TeleStaff, Healthcare Extensions, and Banking Scheduling Solutions are deployed. At this time, we are not aware of an impact to UKG Pro, UKG Ready, UKG Dimensions, or any other UKG products or solutions, which are housed in separate environments and not in the Kronos Private Cloud.

We are working with leading cybersecurity experts to assess and resolve the situation, and have notified the authorities. The investigation remains ongoing, as we work to determine the nature and scope of the incident.

While we are working diligently, our Kronos Private Cloud solutions are currently unavailable. Given that it may take up to several weeks to restore system availability, we strongly recommend that you evaluate and implement alternative business continuity protocols related to the affected UKG solutions. Support is available via our UKG Kronos Community and via our UKG Customer Support Team to provide input on your business continuity plans.

We deeply regret the impact this is having on you, and we are continuing to take all appropriate actions to remediate the situation. We recognize the seriousness of this issue and will provide another update within the next 24 hours.

Thank you for your support and partnership.


Update for Impacted Customers – December 12, 2021; 12:37 PM EST

On Saturday evening, December 11, 2021, we were made aware of issues impacting the availability of UKG solutions using the Kronos Private Cloud (KPC). Impacted solutions include:
•    UKG Workforce Central
•    UKG TeleStaff
•    Banking Appointment and Scheduling Solutions
Any of these solutions deployed in on-premise (self-hosted) environments are not affected, and we are not experiencing impact to UKG Pro, UKG Dimensions, or UKG Ready.
 
At this time, we do not have an estimated restoration time and we recommend that our customers evaluate alternative plans to process time and attendance data for payroll processing, to manage schedules, and to manage other operations important to their organization.   
 
We recognize the importance of these solutions to your organization. We have actively mobilized all resources at our disposal to address this issue and will continue to update customers regularly until the issue is resolved.

 

UKG Kronos Private Cloud Status Updates Archive

Below is an archive of all past updates.

Jump to a specific update: