Skip links

Timekeeping biz Kronos hit by ransomware and warns customers to engage biz continuity plans

Kronos Private Cloud has been hit by a ransomware attack. The company, also known as Ultimate Kronos Group (UKG), provides timekeeping services to companies employing millions across the UK.

Emails sent by Kronos to its corporate customers, seen by The Register, confirm the firm has pulled its private cloud services offline following a ransomware attack. It is advising customers to deploy “alternative business continuity protocols” – a move with potential implications for Britons’ Christmas pay packets.

Kronos’ messages to corporate customers were identical in wording to this post on Kronos’ customer support forums, signed by exec veep Bob Hughes. It said:

Kronos’ timekeeping products are used by British companies including supermarket chain Sainsburys, Boots the Chemist and Jaguar Land Rover.

“Issues companies will have is employees don’t know their schedule (it’s in Kronos) and then when they clock in and out, that clock won’t go anywhere,” a Register reader, who works for an affected firm, told us.

Kronos’ timekeeping service interfaces with companies’ payrolls. In effect, it tells the payroll department how much to pay each staff member. The firm also provides rostering and shift management services.

“At this time, we are not aware of an impact to UKG Pro, UKG Ready, UKG Dimensions, or any other UKG products or solutions, which are housed in separate environments and not in the Kronos Private Cloud,” concluded its statement.

The message from Kronos said restoring full service would take “several weeks.”

We have asked the company for comment and will update this article if it responds.

A Sainsbury’s spokesperson said: “We’re in close contact with Kronos while they investigate a systems issue. In the meantime we have contingencies in place to make sure our colleagues continue to receive their pay.”

It is not yet known whether the Log4j remote code execution vulnerability was the attackers’ way in. Neither is the attackers’ identity publicly known at the time of writing.

We understand some of Kronos’ product and services can be deployed on-premises. While there is a possibility that ransomware criminals could compromise those if the vuln they used exists in Kronos’ software, rather than a network misconfiguration, in the short term, those on-prem deployments naturally won’t be affected by the main Kronos shutdown.

Three years ago Kronos’ US arm was sued by a nursing home employee who said its fingerprint-scanning tech violated a US state’s privacy laws. ®