Suffolk officials probe possible impact of ransomware attack on county vendor

Suffolk County legislators and a police union official expressed concern Wednesday that personal data of more than 3,800 county law enforcement officers and first responders may have been breached in a ransomware attack on county vendor.

The information about the county employees had been entered into UKG TeleStaff, a law enforcement scheduling system, ahead of a planned Dec. 27 launch, officials said.

TeleStaff was among services hit in a Dec. 11 cyberattack against HR management company Ultimate Kronos Group, officials said.

Suffolk County officials since have delayed the program's launch.

UKG said it was investigating whether customer data had been breached.

County Executive Steve Bellone's spokesman Derek Poppe said in a statement: "We have no information that indicates that county employee personal information was involved in the UKG data breach as our system is not live yet."

But officials said Wednesday they were troubled by the potential breach since employees’ names, addresses, telephone numbers and dates of birth were in the system.

"We’re extremely concerned at this point that we don't truly know the full depth of what has been accessed," said Noel DiGerolamo, president of the Suffolk County Police Benevolent Association, the largest county police union.

The county planned to launch TeleStaff as part of a $7.2-million overhaul of its outdated payroll system, according to officials and county legislative documents.

TeleStaff will be used to schedule public safety shifts and allow workers to call out sick and sign up for overtime, Suffolk information technology Commissioner Scott Mastellon told legislators Wednesday.

Suffolk has a $4.5 million contract with UKG and so far has paid out $1.4 million, county Comptroller John M. Kennedy Jr. said.

Mastellon said information about 3,865 police, sheriff’s and Fire, Rescue and Emergency Services employees was entered in the system in advance of the rollout.

Mastellon said payroll operations and scheduling have not been affected by the cyberattack since they can rely on existing systems.

County legislators, in a heated committee meeting Wednesday morning, asked why UKG did not have more information and why county officials waited so long to inform legislators of the potential breach.

"I don't think we should be paying them another dime until you get a sufficient update and they're able to say that our data is protected," Legis. Jason Richberg (D-West Babylon) said.

Poppe said Bellone's office is communicating with UKG, "to determine what, if anything, potentially could have been breached."

Poppe said information technology, "immediately notified the NYS Department of Homeland Security to determine next steps to protect personnel information if needed."

Erik Carlson, a spokesman for UKG, said in an emailed statement: "We recognize the seriousness of the issue and have mobilized all available resources to support our customers and are working diligently to restore the affected services."

Sgt. Paul Spinella, a spokesman for Suffolk County Sheriff Errol Toulon Jr., said the ransomware attack has not impacted day-to-day operations.

Other organizations that use UKG include the Metropolitan Transportation Authority, which uses the Kronos timekeeping system.

The MTA said Tuesday its employees will get their paychecks but could see a delay in overtime pay.

A Nassau County spokeswoman said the county was not impacted by the attack.

With Scott Eidler

By Rachelle Blidner

rachelle.blidner@newsday.com@rachelleblidner

Rachelle Blidner covers Suffolk County government, politics and breaking news.