Kronos ransomware attack impacts major Maine employers

YARMOUTH, Maine—MaineHealth and Hannaford, two of Maine’s largest employers, were recently affected by a ransomware attack on Kronos, a Massachusetts-based human resources firm that helps companies around the world manage their payrolls and track employee time and attendance.

Kronos said that the ransomware attack, which occurred on Dec. 11, 2021, may keep its systems offline for weeks. The company was unable to offer a definite time frame for restoring services and admitted the delay has the potential to impact the issuance of employee paychecks and how companies keep track of when employees clock in and out of their shifts. Its software is used widely in the United States by municipal governments, university systems and large corporations.

“(Kronos) recently became aware of a ransomware incident that has disrupted the Kronos Private Cloud, which houses solutions used by a limited number of our customers,” a company spokesman said in a statement. “We took immediate action to investigate and mitigate the issue, have alerted our affected customers and informed the authorities, and are working with leading cybersecurity experts. We recognize the seriousness of the issue and have mobilized all available resources to support our customers and are working diligently to restore the affected services.”

Kronos recommended that its customers use backup plans such issuing paper paychecks and having employees manually track their shift start and end times. 

MaineHealth issued a statement letting its employees know that they will be paid on time following the attack. It uses Kronos software to track the hours of its 22,000 employees in 11 counties in Maine and Carroll County, N.H.

Two MaineHealth organizations, MaineHealth Care at Home and NorDx Laboratories were not affected by the attack. In its statement, MaineHealth said the Kronos system was used only to log employee hours and was separate from the health care network’s payroll system.

“As such, there is no risk that employee Social Security numbers or bank routing information has been exposed as a result of the ransomware attack,” MaineHealth said. “The ransomware event targeted Kronos’ internet-based services, and no systems or data at MaineHealth have been compromised. MaineHealth has been working around the clock to assure that paychecks will be issued as scheduled and has put in place new procedures for tracking employee hours in the coming weeks.”

MaineHealth said it will have to manually record some changes in hours worked in the final week of the most recent pay period and reconcile those changes in subsequent paychecks. The company noted that the ransomware attacks came at an inopportune time, especially as its hospitals contend with treating a surge in COVID patients.

“Though this ransomware attack affects employers worldwide, it is especially unfortunate that our care team members have to deal with this at a time when the pandemic is at its peak in Maine,” said Al Swallow, chief financial officer of MaineHealth. “We are doing all we can to mitigate the impact of this on our team and help them to continue their heroic work caring for our patients.”

Ericka Dodge, spokesperson for Hannaford in Maine, acknowledged that the supermarket chain had been impacted by the ransomware attack. She said Hannaford uses Kronos to operate its timekeeping system, not its payroll system. Hannaford employs about 10,000 associates in Maine.

“Hannaford is among the many companies worldwide that have been impacted by the Kronos outage, and we have taken steps to ensure associates are paid promptly and appropriately,” Hannaford said in a statement. “Our stores are tracking hours worked manually during the outage and have implemented other process changes. We remain in contact with Kronos to learn more about the outage and its likely duration.”

Dodge said the Kronos outage occurred on the last day of Hannaford’s payroll week, preventing hours for the week from feeding into its payroll system. As a result, Hannaford issued paychecks based on the prior work week and made immediate cash advances available for any individual who worked more hours.

“Any errors in an individual’s paycheck are being and will continue to be quickly corrected,” Dodge said. “Associates are paid for their hours worked.”

The hack affected dozens of employers across the country including New York’s Metropolitan Transportation Authority, the city of Cleveland, the Oregon Department of Transportation and a number of universities, including the University of Utah and George Washington University.

In a list of steps that it is taking to rectify the hack – published on its private cloud status update – Kronos made no mention of whether the attackers demanded money.

“We recognize the seriousness of this issue and are committed to supporting our customers as we work to a resolution,” the company said.