Kronos ransomware attack raises questions of vendor liability

The December ransomware attack against workforce management company Ultimate Kronos Group hindered the ability of its customers to process payrolls. The attack, which has far-reaching ramifications, has stakeholders looking for who is to blame.

Tesla, PepsiCo, Whole Foods and the New York Metropolitan Transit Authority were among many organizations hit by the incident and resulting outage.

Employees at Tesla and PepsiCo filed a class action lawsuit against UKG seeking damages due to alleged negligence in data security procedures and practices. The case was filed in the U.S. District Court in the Northern District of California.

New York MTA employees filed a separate suit in the U.S. District Court for the Southern District of New York against the MTA, alleging it failed to pay overtime wages due to the Kronos outage.

The response and recovery from the ransomware attack is UKG's responsibility, but failure to make payroll, a potential violation of the Fair Labor Standards Act and any applicable state and local laws, is the fault of the employer.

"The employers are responsible for making payroll," said John Bambenek, principal threat hunter at security firm Netenrich. "If they're using a third-party provider, and it doesn't get the job done, they're responsible for making payroll."

That doesn't leave Kronos off the hook, however. Kronos offers a service and couldn't provide it, so now the company may be liable to its customers, Bambenek said. Employers can sue UKG too.

Assigning accountability

Another key question is whether the contracts that Kronos negotiated with its customers define who might be responsible in the wake of an incident like this.

In many cases, commercial contracts between a provider and a customer contain an indemnification clause, which protects the provider from legal action or damage for certain events. Here, the contracts may be written in favor of Kronos.

"Every vendor, especially at the level of Kronos," is going to seek an indemnification clause that benefits them in their contracts, Matthew Warner, CTO and co-founder at detection and response provider Blumira, told Cybersecurity Dive. "They're going to do as much as they can to make sure that if something goes wrong, and if there is any sort of interruption associated with it, they're indemnified for it."

Cybersecurity Dive contacted UKG, Tesla, PepsiCo and the MTA asking for comment on the attack and the lawsuits. The MTA said that it doesn't comment on pending litigation. A spokesperson for Kronos's public relations firm pointed to the latest update about the incident and the company's recovery efforts, but avoided comment on the lawsuits.

Public data

Licensing agreements between the vendor and its customers complicate potential liability.

Looking at some of the contracts that Kronos had with cities and other public entities, Warner found that they require "gross negligence or willful misconduct" to hold the company liable, he said.

Otherwise, Kronos may be indemnified for its outage.

"Legal responsibility for hacks is still such a murky thing in the U.S.," said Warner. "Often what we see for ransomware is the multi class-action lawsuit. And often they will just settle before it goes much further into law. There may be some success by people suing Kronos, but I'm expecting it to be small settlements."

For now, no one knows how or why the attack occurred. Kronos could have taken all the necessary steps to protect its data and systems but still been successfully breached. The company told Cybersecurity Dive that it has internal security resources and had monitoring in place prior to the incident but has since been supplementing those resources with third-party support and tools.

Kronos took around six weeks to restore access to the core time, scheduling and HR/payroll services for affected Kronos Private Cloud customers. As of March 4, the company was still in the process of restoring additional applications used by some KPC customers, including Citrix and Workforce Analytics. This means that a full recovery has taken longer than the several days or weeks that Kronos initially estimated. That may point to a problem somewhere in the mix.

"Kronos didn't have a good business continuity plan," Bambenek said. "Kronos does one thing — it's a payroll processor. Can you process payroll when this happens? If the answer is no, you did something wrong, or you didn't have something in place."

Warner said he wouldn't be surprised if the employee lawsuits against employers are successful.

"This sounds worse than I intend it to, but it's not Kronos's responsibility to make sure payroll works for Organization A," Warner said. "It's Organization A's responsibility to make sure they can do payroll in the case of there being an outage with your upstream provider."

For now, legal culpability is a matter that will remain murky until the pre-trial phases kick off for the different lawsuits.

"You're probably not going to know who's truly responsible from a legal perspective until discovery," Bambenek said. "And some people are just going to throw money at the problem to make it go away."