Ransomware attacks on a third-party company that tracks employees’ work time and leave requests may have exposed the names, addresses and phone numbers of all 8,000 workers with The Queen’s Health Systems.
Kronos, the firm contracted by Queen’s, does not have any employees’ Social Security numbers or financial and banking data. Queen’s officials said they have no knowledge that any personal information has been used improperly, according to a statement to the Honolulu Star-Advertiser.
On Sunday, Queen’s was told its workforce management solutions provider, Kronos, was hit with a ransomware attack that disrupted its employee timekeeping and leave- request platform. The ongoing outage reportedly affects more than 2,000 Kronos Private Cloud customers, according to the release.
“The security of employee information is of critical importance to us. Within the Kronos module that the health system utilizes, there is limited personally identifiable information stored. This information includes names, phone numbers and addresses,” said Minna Sugimoto, manager of corporate communications for The Queen’s Health Systems.
“UKG recently became aware of a ransomware incident that has disrupted the Kronos Private Cloud, which houses solutions used by a limited number of our customers. We took immediate action to investigate and mitigate the issue, have alerted our affected customers and informed the authorities, and are working with leading cybersecurity experts. We recognize the seriousness of the issue and have mobilized all available resources to support our customers and are working diligently to restore the affected services,” a spokesman said in a statement to the Star-Advertiser.
A public update on the Kronos Private Cloud was established by UKG at ukg.com/KPCupdates.
The workers most affected by the outage will be hourly employees, according to the Healthcare Association of Hawaii. Salary workers will receive their normal pay, but hourly workers will be paid based on estimates. Once the timekeeping system is restored, an audit will be performed. The results might show some workers were overpaid and others shorted.
“It’s not a good situation. It is very, very unfortunate. … There are so many bad actors around the world who do not consider or take into account the impact on individual lives. … This is one of the consequences. … People’s paychecks are being impacted by this cyberattack,” said Hilton Raethel, president and CEO of the Healthcare Association of Hawaii, in an interview. “The good news is … they can convert to a manual system.”
Hawaii Pacific Health also uses Kronos Software, but not the cloud-based version hit by the attack. HPH’s Kronos systems are housed on the health system’s internal servers, Raethel said.
Mufi Hannemann, president and CEO of the Hawaii Lodging & Tourism Association, told the Star-Advertiser that a survey of some members revealed some impacts associated with the Kronos attack as an end user of the payroll and time-clock services, he told the Star-Advertiser.
“However, the vast majority of our hoteliers that responded have noted that they have not been affected. Also at this time we have not received any direct complaints or concerns from our industry members on the matter,” said Hannemann.
About 250 Emergency Medical Service personnel and between 400 to 500 Honolulu Board of Water Supply workers who used the same cloud-based Kronos software are using manual time-tracking systems to account for employees’ work.
“DOH utilizes Kronos for employee scheduling for approximately 400 employees at the Hawaii State Hospital. Kronos is not currently online and DOH adapted to use paper and other methods to bridge scheduling needs,” according to Kaitlin Arita-Chang, spokeswoman for the state Department of Health.
A separate ransomware attack targeting the websites, scheduling and real-time services provided by Oahu Transit Services continued to keep website, scheduling applications and real-time tracking data offline. City leaders received a detailed update Tuesday from information technology leadership.
Cybercriminals connected with Russia, and possibly China, working with an array of nonstate and state actors, could be behind the attack on Oahu Transit Services. There is not an hour that goes by that city systems aren’t being probed for vulnerabilities and access points, said Mark D. Wong, chief information officer and director of the city Department of Information Technology, in an interview with the Star-Advertiser.
“We really are stepping up our vigilance. It is likely that it is human error. We need to make sure that our employees are also vigilant,” he said.
Oahu Transit Services was “likely” compromised when someone opened an email, link or attachment and introduced ransomware that is keeping TheBus, TheHandi-Van, HOLO ride-card digital services, websites and applications offline, according to an email shared with the Star-Advertiser.
The city learned of the cyberattack not from Kronos, but from media reports. News reports were already online two days before Kronos officials contacted the city about the ransomware.
“We found out when the rest of the world found out,” said Wong. “Kronos was hacked on Saturday, and a couple of days before … the news (of the ransomware attack) spread online.”
As HPD and the FBI stepped in to help Oahu Transit Services, so did the city and state. Wong didn’t believe city DIT could be of much help to the investigation because the systems don’t belong to it.
“Hackers can compromise an account and use it to send infected messages. This is likely how the OTS system was compromised,” wrote Wong in an email sent Tuesday morning to city directors, deputy directors, City Council members and staff, and DIT security liaisons.
“At this time, no networks or systems operated by the City and County of Honolulu are known to have been attacked or shut down by hackers,” he wrote.
In another cyberattack, the third-party Kronos employee timekeeping system used by the Honolulu Board of Water Supply, the city Emergency Services Department and thousands of businesses and organizations nationwide suffered a ransomware attack that is expected to affect the company’s operations for weeks.
Kronos is a cloud-based system operated by a company in the United Kingdom.
Wong said city employees using the Kronos system log into that company’s website, and no Kronos software is running on city servers. The city cannot shut down Kronos, but city users cannot log into the system until Kronos restores services, he explained.
“It is likely that other Hawaii organizations like hospitals, retail outlets, and educational organizations are also using Kronos,” Wong told city leaders.
Wong also detailed how networks and systems running the bus and Handi-Van software are managed by Oahu Transit Services using networks separate from the the city’s.
The fare collection system and HOLO card exchange data with the OTS systems, but those systems are physically separate and located in city data centers in their own isolated network.
“There have been no signs that HOLO has been hacked, but servers have disconnected from the Internet until the OTS services are restored,” Wong wrote. “While the city systems and networks appear to be safe at this time, we must be hyper-vigilant during what seems like a siege on government and infrastructure systems.”
He urged department heads and all city workers to be extremely cautious about opening any attachment or link sent in an email, even if the sender appears well known to the person receiving the email.
The URL link is not necessarily the address embedded in the link. Don’t click on the link. Instead, enter the address or go to a well-known site, he wrote.
Spreadsheets and PDFs can spread malware. City employees should avoid forwarding messages with attachments to reduce the risk of spreading malware, and limit internet use to essential work, he said.
“Log out of your workstation if you are stepping away for an hour or more, and shut down your machines when you leave for the day unless you absolutely need remote access,” he said. “DIT is on extreme alert. We’re doing everything we can to keep our networks and systems safe, but our users are really our first line of defense. Be suspicious of anything that has unusual content, incorrect spelling or grammar, or is from an unlikely sender (even the Mayor or Council Chair). Call the user directly if there is any question, and notify DIT if you suspect an attempted attack.”