Top payroll vendors will be operating mostly by hand after Kronos attacks

Jared Blanchard knew something was wrong with his back up two days after payroll days ago. At first, he thought it was having trouble creating copies of payroll stubs for his 30 employees. “The…

Top payroll vendors will be operating mostly by hand after Kronos attacks

Jared Blanchard knew something was wrong with his back up two days after payroll days ago. At first, he thought it was having trouble creating copies of payroll stubs for his 30 employees.

“The last update I had, I’d add a few more employees but this weekend, it stopped,” said Blanchard, CEO of Checker, a digital payroll provider based in Alexandria, Va. “If you check two days after payroll day, you’ll find the correct staff signatures on your weekly pay stubs.”

On Monday, the remaining faxed copies of pay stubs were showing a “blacked out” signature. When Blanchard and his staff checked their online pay stubs, there were no checks.

Now, Blanchard said, in some cases, checks in the incorrect amount may have already been issued. Those checks will now have to be reconciled to Blanchard’s weekly pay stubs.

Firms affected by the Kronos ransomware attack, which hit companies in 36 countries on Monday, will likely face pain for months and many will be forced to delay investments planned for next year.

When Blanchard and his team looked into the cause of the problem, the price of Kronos software was revealed to be linked to the software’s root code. The root code is why Kronos software has been attacked in the past. In a statement, Kronos’ stated it was partnering with law enforcement to pinpoint the attacker.

The KrebsOnSecurity security blog reported Monday that the FBI had taken over the investigation. The revelation came several weeks after security researchers found the core of Kronos software was flawed. The firm became the target of an attack on Sept. 2 by what appeared to be the same person or group that previously attacked Kronos computers.

To date, most government agencies and Fortune 1000 companies have relied on Kronos technology to manage transactions, create paycheck summaries and file payroll tax returns.

Pier One Imports, an upscale home goods retailer with 16 stores in the D.C. region, is “now forced to work with a number of third parties to manually record all payroll data from each store,” according to a company spokeswoman.

“We have already deployed the Kronos Solution over the past three years to the nearly 300 stores that we own and operate across North America, which resulted in the same results as the attack we suffered on Monday,” said a spokesman for the company, which last week announced that retail sales rose 3.2 percent in August.

Cybersecurity experts said Monday that many large companies will have until the end of the year to replace key infrastructure that Kronos software enables. As for those who have already completed that task, they will have trouble operating.

Among the Kronos victims was Lockheed Martin, the defense contractor with about 121,000 federal employees in the Washington area. “We are aware of some isolated ransomware activities on Kronos-based systems in the company,” said a company spokeswoman.

Other large businesses in the region that run Kronos software are including Golfsmith.com, Booz Allen Hamilton, a global consulting company, Seadrill, a drilling rig owner, Duke Energy, a utility, and The National Weather Service, which runs an infrastructure warning system in the region.

Jared Glackin, a former Kronos employee who also worked at a different company with Kronos technology, said those who already have Kronos technology will be especially troubled.

“Whenever I saw someone on the street was using Kronos and was angry about something that had happened, I’d say, ‘They just got a new system,’ ” Glackin said. “Now, they are going to be experiencing system errors that could last for a couple of months, or even longer.”

Checker employees will be back on their computers on Tuesday, Blanchard said. “My customers are holding my feet to the fire,” he said. “Their wallets are safe, but they want to feel like their revenue is there.”

Leave a Comment