Kronos Private Cloud FAQs

Jump to a section:

Last Updated: January 14, 2022 as of 8:00 am ET

NOTE: Newest or updated questions in this Q&A are in italics. Previously answered questions are not in italics.

All UKG Kronos Private Cloud Updates

Customer Restoration Checklists*

*You must have a UKG Kronos Community log-in to access these checklists.
If you are an affected customer and do not have access to the Kronos Community, you can register here.

General Questions

  • What is the nature of the current incident affecting UKG solution availability?

    UKG is currently mitigating the impact of a ransomware incident affecting a small subset of UKG solutions. The incident is limited to those instances that are hosted in the Kronos Private Cloud (KPC), specifically, Workforce Central, Telestaff, Healthcare Extensions, and UKG Scheduling/Workforce Management for Banks (formerly called FMSI/Kronos for Banking Solutions). UKG has engaged leading cybersecurity experts, notified the authorities, is proactively communicating with impacted customers, and is beginning the recovery stage. We recognize the seriousness of this issue and are committed to supporting our customers as we work to a resolution.

  • How does a UKG customer know if they have been impacted? Which solutions are impacted and which solutions are not impacted?

    Based on our ongoing investigation, this incident appears limited only to the following hosted solutions in the Kronos Private Cloud. These solutions include:

    • UKG Workforce Central
    • UKG TeleStaff
    • Healthcare Extensions
    • UKG Scheduling/Workforce Management for Banks (formerly called FMSI/Kronos for Banking Solutions)

    At this time, we believe that instances of these solutions deployed in on-premise/self-hosted environments are not affected.

    We recognize customers often deploy a combination of UKG solutions, such as UKG Dimensions with TeleStaff, etc. It is important to note that, in these deployments, the portion of the solution deployed in Kronos Private Cloud will not be available.

    At this time, we do not believe that other UKG solutions are affected. This includes UKG Pro, UKG Dimensions, UKG Ready, UKG HR Service Delivery, and other solutions that are not hosted in Kronos Private Cloud.

  • When did UKG first learn about this incident, when did UKG inform customers, and what did UKG do when it became aware of the incident?

    Late on Saturday evening, December 11, 2021, our cloud monitoring and operations team noticed some unusual activity in the Kronos Private Cloud (KPC). Specifically, some servers had become encrypted and others were in the process of being encrypted. To reduce the risk to customers and customer data, we immediately initiated an emergency procedure and shut down more than 18,000 physical and virtual servers. We isolated systems, disabled accounts, reset passwords, and disabled VPN site-to-site connections on the UKG side.

    At approximately 1AM ET Monday, December 13, we notified our customers that it was a ransomware attack and have since devoted our resources to resolving this incident as quickly as possible.

    We will continue to provide updates as we work to a resolution.

  • What is UKG doing to address and resolve the issue?

    To reduce the risk to customers and customer data, once we learned of the incident we immediately initiated an emergency procedure and shut down more than 18,000 physical and virtual servers. We isolated systems, disabled accounts, reset passwords, and disabled VPN site-to-site connections on the UKG side.

    We are making significant progress on our restoration efforts. All impacted customers should now be in contact with their dedicated UKG Recovery Liaison. The speed at which we can move customers through the phases of recovery will be based on the technical state in which we find their environment. If customers have no database issue, are on a recent version of the software, and have limited customizations within their environment, we can move more quickly in restoring their solution. We are confident that we have fully contained the threat and have now completed our first pilot program that has allowed us to automate additional processes so that we can bring all customers back online in a parallel fashion.

    A customer’s restoration timeline is determined by a complex technical process, thus we likely cannot expedite placement. Additionally, in light of the global pandemic, we have specialist teams dedicated to healthcare, first responders, and customers who rely on UKG for payroll processing. We will work as quickly as possible with our teams to restore systems, as we have organized our teams to be working in parallel to expedite recovery. Our goal is to bring all our customers live as quickly and safely as possible.

  • Where does the Kronos Private Cloud remediation and recovery process stand? When will UKG bring impacted customers’ solutions back online?

    UKG has dedicated extensive resources working around the clock to bring all affected customers back online in a safe and secure manner. The threat actor encrypted both our production environments and our warm stand-by disaster recovery environments, and disabled the communication layer to our back-up databases — so the recovery process is taking place in phases.

    Progress as of January 10, 2022:

    As a result of the pilot program, we are now working on restoration of customers in parallel, which began the week of January 3 and will likely run throughout the month of January, based on our current projections.

    All impacted customers should now be in contact with their dedicated UKG Recovery Liaison. The speed at which we can move customers through the phases of recovery will be based on the technical state in which we find their environment. If customers have no database issue, are on a recent version of the software, and have limited customizations within their environment, we can move more quickly in restoring their solution. We are confident that we have fully contained the threat and have now completed our first pilot program that has allowed us to automate additional processes so that we can bring all customers back online in a parallel fashion.

    A customer’s restoration timeline is determined by a complex technical process. Additionally, in light of the global pandemic, we have specialist teams dedicated to healthcare, first responders, and customers who rely on UKG for payroll processing. We will work as quickly as possible with our teams to restore systems, as we have organized our teams to be working in parallel to expedite recovery. Our goal is to bring all our customers live as quickly and safely as possible.

  • How do impacted customers open a case file for additional support?

    Impacted customers can open a case in the UKG Kronos Community by visiting community.kronos.com. Non-impacted customers can continue to find the latest updates at www.ukg.com/KPCupdates.

  • I am a new customer implementing a non-impacted solution. Will my implementation be affected?

    If you have concerns about your implementation schedule or timeline, please talk to your project team.

  • Is this incident U.S. centric only? Have Kronos solutions outside the U.S. been affected?

    This incident is not US-centric only. It also impacts KPC customers outside of the US. UKG Workforce Central SaaS, UKG Telestaff, Healthcare Extensions, and UKG Scheduling/Workforce Management for Banks (formerly called FMSI/Kronos for Banking Solutions) deployed in the Kronos Private Cloud are impacted regardless of country. The incident affected KPC data centers in the US, Frankfurt, and Amsterdam.

  • Should the UKG mobile app be uninstalled by affected customers’ end-users (employees) from their mobile device?

    At present, UKG has no reason to believe that the presence of the UKG mobile application for Workforce Central SaaS poses a risk to end-user devices.

  • How does UKG know that other cloud environments (non-Kronos Private Cloud) are not impacted?

    Kronos Private Cloud is a private environment managed by UKG where we host customer single-tenant solutions. In contrast, UKG Dimensions, UKG Ready, UKG Pro, and UKG HR Service Delivery are all completely separate code bases operated in completely separate environments and clouds from Kronos Private Cloud. We are working with leading cybersecurity experts, and through our investigation to date have seen no evidence that the other cloud environments have been impacted.

  • Should affected customers prevent clocks from uploading punches to Workforce Central?

    Yes, at this time, we recommend that customers avoid trying to upload punches to Workforce Central because Workforce Central has been disabled.

  • What will happen to punches stored on clocks as we move through the recovery process?

    Punches stored on clocks will be collected and processed once your Workforce Central system is back online. Customers who have used the On-Premise Punch Collection Server utility to collect punches from clocks will use a Workforce Manager interface to import collected punches into Workforce Central. The process and length of time it will take to collect these punches will vary depending on the total number of clocks and punches, and if the clocks contain simple punches and transfers or Attestation or Activities offline forms.

Interim Solutions for Time and Scheduling

  • What options can UKG provide to affected customers for time punch collection, time capture, and scheduling as an interim solution?

    UKG is providing customers with three options for customer who use UKG Workforce Central in the cloud to use while Workforce Central is unavailable:

    1. UKG Excel Timesheet Aggregator Solution
    2. Excel Scheduling Solution
    3. On-Premise Clock Punch Collection Server
    4. Quick Timestamp Offline Mode (QTSO)

    What is the Excel Timesheet Punch Aggregator Solution?

    UKG has created a macro-driven Excel file that presents punch data and hours in an Excel timesheet. It also integrates with the On-Premise Clock Punch Server for consumption of the CSV punch files. This provides a simple approach for customers to consolidate punch files and better visualize how many hours each employee worked. It also provides a means to store manually-added punch data for later integration back into UKG Workforce Central.

    More Details

    The Excel Timesheet Punch Aggregator Solution is a good fit for:

    • Customers using On-Premise Clock Punch Server for clocks and wanting to view/edit those punches in a summary timesheet.
    • Customers who are using other solutions for capturing punches and can save them in CSV format for importing into this Excel timesheet (contact support for more information on importing CSV files).
    • Customers who want to manually enter employee punches into a summary timesheet

    What are the requirements?

    • 64-bit version of Microsoft Excel
    • Basic Excel skills
    • Windows PC (MacOS not supported)
    • Ability to store Excel spreadsheets on a local server

    Availability

    • This solution is available now
    • Please contact UKG support for more details

    What is the Excel Scheduling Solution?

    The Excel Schedule Solution is an MS Excel file that can be used to create a very simple schedule. This solution will not include any workload information (including forecasting or budgeting). The calculations of scheduled hours, employee rule violations, and accruals are not supported.

    More Details

    The Excel Schedule solution is a good fit for:

    • Customers who will find value in a basic scheduling tool. The solution allows you to enter employee information (name, location, job), shift templates and pay code edits.
    • Customers who have simple Excel skills and the ability to save files locally

    What are the requirements?

    • Simple Excel skills
    • Ability to store the Excel file locally

    Availability

    • If you are interested in this option, contact UKG Customer Support.

    What is the On-Premise Clock Punch Collection Server?

    The On-Premise Clock Punch Collection Server (OPPC) is installed at the customer site to collect punches from clocks and store them in CSV format while UKG Workforce Central is unavailable. This will keep the clocks from running out of memory so that punches can continue to be entered and collected. Punch CSV files can be imported to Workforce Central when it is back online and can be accessed and used as needed, while Workforce Central is unavailable, by importing the CSV files into the Excel Timecard Solution.

    OPPC is a good fit for:

    • Customers with clocks that are at risk of exceeding storage capacity before Workforce Central is back online, and want to use punch data to confirm employee work time once Workforce Central is back online
    • Customers who would like to access clock punch data prior to Workforce Central becoming available

    OPPC is not a good fit for:

    • Customers who do not have the ability to provide a server with network accessibility from all their clocks, or do not have IT staff who can install and manage the server
    • Customers who have 4500 series clocks that do not support Device Initiated communication. These include the following models and firmware versions:
      • Kronos Series 4500 Part Number 8602000-xxx, firmware versions 2.x.x
      • Kronos Series 4500 Part Number 8602004-xxx, firmware versions 2.x.x
      • Kronos Series 4500 Part Number 8602800-000 to 8602800-499, firmware versions 2.x.x
      • Kronos series 4500 terminals with the analog modem communication option

    What are the requirements?

    To use OPPC, customers should be prepared to:

    • Install Apache Tomcat Webserver, Java, and UKG-provided software on a Windows Server 2012 R2 Standard or Higher (64-bit), and run and monitor the server
    • Install OPPC on a server in a network location accessible to all of their clocks
    • Physically configure each clock to communicate to the On-Premise Punch Collection Server
    • Physically configure each clock again to communicate with the Workforce Central Server when back online
    • Use Workforce Integration Manager to import punches once Workforce Central is back online
    • Customers who wish to view/access punch data while Workforce Central is unavailable must use a tool like the Excel Timecard solution

    Important information for customers using Attestation or Activities

    There is a version of OPPC that  enables customers to retrieve offline Attestation punches and Activities transactions from the majority of UKG clocks. These punches will be moved to a CSV file to ensure clocks will not run out of memory. Once these Attestation and Activities forms are collected, customers’ clocks that were configured for Attestation or Activities offline will be re-configured to support “simple punches” so customer can continue collecting punches. Once Workforce Central is available, clocks will be returned to the previous configuration.

    Availability

    • OPPC is currently available.
    • Customers should contact UKG support for more details on this solution.

    What is QTSO?

    Quick Time Stamp Offline (QTSO) is a solution for simple punch collection. QTSO is a stand-alone application that runs on Windows 10 and allows employees to enter time stamps when communication to the Workforce Central system is not available.

    It allows you to capture an employee badge #, punch time and transfer. There is no validation of the user, no punch rules, etc. This includes the badge ID or username, timestamp based on the local server, transfer string, mode used (badge or username). The punch information is stored in encrypted format in the local file system.

    UKG is providing an extract utility that can be used to export your QTSO punch DB file to a CSV file. You can then view the punches for your employees and manipulate the information to get the hours worked in the Excel Timesheet Solution.

    The WFC server connection attributes for QTSO can be configured so that QTSO will transfer the punch detail to the WFC server when it becomes available.

    Who is a good candidate for this solution?

    • Customers who simply want to capture basic punch information at a desktop
    • Customers who have groups of employees who are co-located and can access a single desktop or a laptop machine
    • Customers who do not use Attestation or Activities — both are not supported by QTSO.
    • QTSO can be used in a stand-alone environment with no internet connection

    What Are The Requirements?

    • QTSO is a software solution that must be installed on a 64-bit Windows 10 machine. Complete instructions will be provided.—QTSO has a local DB limit of 150K punches. This is per installed instance of QTSO. Once the limit is reached, the provided rollover script can be used to extract punches into a CSV file so you can continue using QTSO.
    • We recommend that you run and use QTSO in a stand-alone environment

    Availability

    This solution is available now. Please contact your UKG Customer Support representative or submit a ticket via the Kronos Community.

     

  • Are there any UKG partner options being made available at no charge to impacted customers for time collection while UKG Workforce Central is unavailable?

    Yes, UKG has three partners solutions that are now available to our impacted Kronos Private Cloud time collection customers.  These solutions are available at no charge to customers until UKG Workforce Central services impacted by the December 11, 2021 security incident (the “KPC Incident”) are restored. These two partner solutions will give impacted customers the option of collecting punches using a telephone, mobile phone, or tablet, and are being offered in addition to the interim options provided directly by UKG (described in the “Interim Solutions” section of this FAQ). 

    These partner solutions enable UKG Workforce Central customers to collect time until Workforce Central is available again, and customers will be able to import the punches collected into Workforce Central once service is restored from the KPC Incident.

    Here is an overview of the two partner options. A defined set of services from these two partners are being offered to our impacted customers at no charge until the customer’s UKG Workforce Central services are restored:

    CloudApper RightPunch

    CloudApper RightPunch offers offline and online time collection for employees via a mobile app.  RightPunch allows impacted UKG Workforce Central customers to have employees download a mobile app in order to punch in and out.  Once UKG Workforce Central has been restored, collected punches can be uploaded from RightPunch into Workforce Central.

    Requirements to use:

    • Add employee list to RightPunch app using a file with employee names and employee IDs
    • Employees download RightPunch app to an Android or iOS phone or tablet, and they can punch in on their device with a PIN or QR/barcode
    • Can be configured and deployed in 1-2 days

    Availability:

    • A defined set of services through CloudApper will be available for impacted Kronos Private Cloud Workforce Central from December 20, 2021 until the impacted customer’s Workforce Central environment is restored from the KPC Incident (some limitations apply).
    • To activate this option or learn more, email [email protected].
    • For product support, customers using CloudApper Right Punch can email [email protected].

    Asher Group: Offline and Online Time Collection via Interactive Voice Response (IVR)

    Asher Group’s solution can collect employee punch data via IVR (enabling employees to punch in and out by telephone) and hold that data until Workforce Central is restored and ready to receive it. The data can be exported into a CSV file for importing into Workforce Central. It can be configured and implemented in 1-2 days. The solution is available in English and Spanish.

    Requirements to use:

    • Telephone access (you can use an existing local number for employees to dial in, or Asher Group can create a new phone number for this purpose. Local numbers are available at no extra charge.)
    • Time to get up and running: 1 day

    Availability:

    • A defined set of services through Asher Group will be available for impacted Kronos Private Cloud Workforce Central customers from December 20, 2021 until the impacted customer’s Workforce Central environment is restored from the KPC Incident (some limitations apply).
    • To activate this option or learn more, email [email protected].  
    • For product support, customers using Asher Group Offline and Online Time Collection via IVR can email [email protected].

    HRTM Consulting: Staff Management Tool for TeleStaff

    What is the HRTM Staff Management Tool?

    HRTM has made available an Excel-based rostering tool to assist customers with managing their rosters outside of TeleStaff. Users will be able to do the following within the tool:

    • Create personnel rosters with appropriate data validation to avoid errors or typos
    • Use the Roster Overview to view the personnel roster in a format similar to TeleStaff
    • Keep track of Extra Duty opportunities taken by employees in a separate sheet
    • Generate payroll exports
    • Generate basic roster data that can be imported back into TeleStaff

    This solution does not include logic to support factors such as vacancies, minimum staffing levels, or position data.  Calculations and validations such as assigned hours, logging buckets, rules, dynamic issues, and accruals are also not supported.

    The HRTM Staff Management Tool is a good fit for:

    • Customers that want to keep on top of their day-to-day scheduling needs (with shifts, work codes and detail codes).
    • Customers that want to see their personnel roster in a similar way to how it is presented in TeleStaff
    • Customers that want to be able to produce payroll exports or import basic roster data back into UKG TeleStaff when their servers become available again.

    What are the Requirements?

    • Excel skills to fill in data points such as shifts, work codes and detail codes
    • A version management system, such as SharePoint, that can properly version the Excel file

    Availability

    • This solution is available now and can be requested from HRTM Consulting at [email protected]
  • Are UKG customers sharing other ideas for potential temporary workarounds?

    UKG customers are sharing suggestions with other businesses in similar industries that have similar operational challenges. These conversations are taking place in the Kronos Private Cloud Resource Center in UKG Kronos Community. This resource hub is located at https://community.kronos.com/s/kpc?language=en_US. It consolidates relevant Knowledgebase articles and discussion threads/groups.

    Note that you must have a Kronos Community log-in to access this page. If you are an affected customer and do not have access to the Kronos Community, you can register at https://community.kronos.com/AppsCommunityRegistrationpage to access the KPS Resource Center in the UKG Kronos Community.

  • Can customers who already have Quick Timestamp Offline Mode currently access it (is it working)?

    Yes, customers who have this mode can still operate it.

  • What are some tips and tricks for  implementing  and using  the interim solutions UKG is offering for time capture, time calculation, and scheduling?

    Please visit Kronos Private Cloud | Resource Center on the Kronos Community for videos on how to use our interim solutions.

Timeclocks and Storing Punches

Customer Communications, KPC Updates Site, and Community

  • Is there a KPC incident resource hub on Kronos Community?

    Yes. The KPC incident resource hub (https://community.kronos.com/s/kpc?language=en_US) on the Kronos Community helps to consolidate relevant Knowledge Base articles and discussion threads. Please note that you must have a Kronos Community log-in to access this page. 

  • How can customer(s) receive status updates?

    All impacted customers should now be in contact with their dedicated UKG Recovery Liaison who will be available to answer questions and share progress updates directly with the customer throughout the duration of the recovery process.

    While we will continue to update www.ukg.com/KPCupdates on a weekly basis with ongoing information on our recovery process, all impacted customers should direct specific questions about your system to your Recovery Liaison.

    You have the option of subscribing to receive new post notifications to your inbox from ukg.com/KPCupdates

    Subscribing is easy. Just follow these steps:

    • Go to ukg.com/KPCupdates and click the "subscribe to email" button
    • Follow the on-screen instructions to enter your email address
    • Check the box to agree to receive email and then click "subscribe"
    • Be sure to check for a confirmation email in your inbox and click on the link to confirm your subscription. You must complete this step in order to begin receiving emails. The confirmation sender is: [email protected] If you don't receive a confirmation email, please check your spam folder.

Remediation and Recovery

  • How can impacted customers process payroll during this period?

    To start, we strongly recommend that impacted customers work with their leaders to evaluate and implement alternative business continuity protocols related to the affected UKG solutions. Customers may be able to utilize previously downloaded data to create a new payroll with a prior pay period’s data. This process may include re-posting the customer's last ACH File, using positive pay file to issue checks from Accounts Payable, or using data from GL System or GL Export file to recreate the customer's last payroll.

    While these actions would mirror the prior payroll cycle and not the current payroll cycle, upon restoration of service, our teams would then work with the customer to reconcile the difference. If UKG is not the customer's payroll provider, we suggest working with that payroll provider to explore similar options.

  • Is there any way to obtain historical payroll data? Is UKG able to provide a customer with copies of historical payroll reports or files generated prior to December 11, 2021?

    As we continue to investigate and mitigate the issue, we are not able to access any customer data, including copies of reports or files at this time. We do not presently have an estimated time for restoration of access to historical data, but we are continuing to take all appropriate actions to remediate the situation.

  • Can UKG create a like-for-like restore or would UKG consider building a completely different environment for a customer, installing an on-premise version of UKG Workforce Central, or quickly switching to another one of UKG’s time and scheduling solutions?

    Due to the complexities of each customer’s business rules and needs, we believe at this time the faster solution will be to do a system restore versus a new implementation for each customer.

  • What is UKG doing to prevent this from happening to the Kronos Private Cloud again?

    The security and privacy of your information is of the utmost importance to us and we are taking measures to protect against this type of incident in the future. Leading privacy and security firms Mandiant and West Monroe are working in parallel to test and continually harden our environment.

    Prior to restoring customer access to the Kronos Private Cloud environment, we will deploy several additional steps to further harden the Kronos Private Cloud environment against future attacks.

    Some examples of the additional measures we are implementing include:

    • We will be expanding the scanning and monitoring program of these environments using current insights from this on-going investigation.
    • We will be supplementing our SOC monitoring with additional third-party managed service monitoring.
    • We will be further expanding the deployment of additional specific monitoring agents across the environment.
    • We will be further expanding cold storage backups.
  • What is UKG doing to prevent a similar incident from occurring in its other Cloud environments (for example, the completely separate Cloud environments where UKG Pro, UKG Ready, UKG Dimensions, and UKG HR Service Delivery are housed)?

    First, it's important to understand that the Kronos Private Cloud is a completely separate environment from the cloud environments where our other solutions such as UKG Pro, Ready, Dimensions, and HR Service Delivery run. Kronos Private Cloud is architected and delivered differently from our other cloud environments.

    UKG Pro, UKG Dimensions, UKG Ready, and UKG HR Service Delivery are pure SaaS and multi-tenant. Those offerings are delivered in different Data Centers and Clouds, and are built, supported, secured, and operated differently from the Kronos Private Cloud solutions.

    Even though we have no evidence that any systems outside of Kronos Private Cloud have been impacted, we have already taken several additional steps to further harden the environments of our other non-Kronos Private Cloud products (such as Pro, Dimensions, Ready, and HR Service Delivery):

    Some examples of these additional measures include:

    • We are expanding the scanning and monitoring program of these environments using current insights from this on-going investigation.
    • We are supplementing our SOC monitoring with additional third-party managed service monitoring.
    • We will be further expanding the deployment of additional specific monitoring agents across the environment.
    • We will be further expanding cold storage backups.
  • How will I be contacted when it is getting close to the time when my solution will be brought back online? How will UKG notify me? How much lead time will we have before the restoration begins?

    All impacted customers should now be in contact with their dedicated UKG Recovery Liaison who will be available to answer questions and share progress updates directly with the customer throughout the duration of the recovery process.

    While we will continue to update www.ukg.com/KPCupdates on a weekly basis with ongoing information on our recovery process, all impacted customers should direct specific questions about your system to your Recovery Liaison.

    You have the option of subscribing to receive new post notifications to your inbox from ukg.com/KPCupdates

    Subscribing is easy. Just follow these steps:

    • Go to ukg.com/KPCupdates and click the "subscribe to email" button
    • Follow the on-screen instructions to enter your email address
    • Check the box to agree to receive email and then click "subscribe"
    • Be sure to check for a confirmation email in your inbox and click on the link to confirm your subscription. You must complete this step in order to begin receiving emails. The confirmation sender is: [email protected] If you don't receive a confirmation email, please check your spam folder.

Incident Background

  • Who is leading the investigation?

    UKG has engaged top-rated outside counsel and cybersecurity firm Mandiant to help us investigate the incident. We also engaged West Monroe, a leading firm whose cybersecurity team has extensive experience assisting organizations to recover from ransomware events, to help us restore client operations in conjunction with Mandiant. We are also leveraging other vendors and partners to provide additional resources to help us expedite the process.

  • Who or what organization is responsible for this ransomware incident?

    Based on the status of our ongoing investigation, we are unable to provide further details.

  • Can this ransomware incident extend from the Kronos Private Cloud to customer IT infrastructure and systems?

    We have not seen any evidence of this to date.

  • Was UKG the only company targeted by the cyber-attacker? Were other companies involved?

    Given the ongoing investigation, we will not speculate on additional impact outside of our organization.

  • Is this related to Log4j vulnerabilities? Has UKG remediated for all known Log4j vulnerabilities?

    While we certainly examined the possibility, we have found no evidence at this time to indicate that this incident is related to known Log4j vulnerabilities.

    Unrelated to this incident, we are pursuing continuous remediation of Log4j across all our systems in line with the latest guidance. UKG has applied patches including CVE-2021-44228, CVE-2021-45046, and is working through CVE-2021-45105 across all our products that are not on the Kronos Private Cloud. Additionally, we have reviewed CVE-2021-44832 and are actively working to patch to log4j 2.17.1, which addresses the vulnerability. As we restore our customer environments, we are scanning environments for all known vulnerabilities, applying patches to each environment, and deploying additional monitoring tools, before bringing those environments back online.

    As always, we encourage all our customers to be on the latest version of our software. We are also looking at the patching programs of our vendors. We are staying current with the latest information and recommendations, and we will apply additional updates as they become available.

  • Why couldn’t UKG just utilize its back-up or redundant systems?

    UKG employs a variety of redundant systems and disaster recovery protocols. In addition to several redundant data centers, UKG Kronos Private Cloud environments are backed up on a weekly basis, as well as on a daily basis with the delta from the previous day. That backup data is stored in a different environment from the Kronos Private Cloud production environments, with a different architecture than the production environments.

    The threat actor responsible for this attack disabled not only the Kronos Private Cloud production environments, but also disabled UKG’s ability to communicate with our back-up environments.

    We have restored the ability to communicate with our back-up environments and as of December 25, we are in the process of regaining full access to the datastore that contain the back-ups. This is an important step in the full restoration process. As we regain access to the back-ups, we will perform scans for malware and other vulnerabilities.

Data Impact Questions

  • Has any data been compromised or exfiltrated as a result of this incident?

    Our investigation is ongoing, and we are working diligently with cybersecurity experts to determine all impacts to customer data. At this point in the investigation, we have identified and analyzed a relatively small volume of data that was exfiltrated by the threat actor, and have notified affected customers of these findings. 

    Any customer whose sensitive business data and/or employee data is identified to have been exposed as a result of this attack will be notified by UKG consistent with our obligations, and we will take appropriate steps to support these customers in protecting affected individuals.

  • In which jurisdictions have you notified regulators about the incident?

    As the victim of a ransomware attack that affected the KPC infrastructure, we promptly notified:

    • the Office of the Victorian Information Commissioner (OVIC) Australia,
    • the Commission de la protection des données (APD) in Belgium, which serve as our supervisory authority in this instance,
    • the Information Commissioner’s Office (ICO) in the UK,
    • the Office of the Privacy Commissioner for Personal Data in Hong-Kong,
    • the National Data Protection Authority (ANPD) in Brazil, and
    • the Ministry of Electronics and Information Technology (MeitY) in India.

    We have further filed in:

    • the Personal Data Protection Commission (“PDPC”) in Singapore,
    • the Office of the Information and Privacy Commissioner in Quebec,
    • the Office of the Privacy Commissioner of New Zealand,
    • the Office of the Privacy Commissioner (“OPC”) of Canada.

    Our intention is to supplement these notifications and continue to evaluate our filing obligations as appropriate and as our investigation progresses.