In December, a ransomware attack struck Ultimate Kronos Group, a vendor that Pfizer uses to track work time and pay out hourly staffers, WWMT reported earlier this week. Employees were under- and overpaid as a result, according to a letter from the company obtained by the CBS/CW-affiliated news outlet.

Now, the drug behemoth is repaying those who were shortchanged—but it’s also asking overpaid staffers to return their surplus cash.

One anonymous employee told WWMT they hadn’t realized they were overpaid and had already spent the money Pfizer’s now requesting.

“We all feel this is Pfizer’s payroll mistake,” the employee told the outlet. “We never asked for this money, we were never consulted on whether we wanted extra money.”

“Pfizer has and continues to take a fair and equitable approach to the unforeseen situation created by the Kronos ransomware attack,” a company spokesperson told the news channel. “Our priority always has been to ensure colleagues receive their weekly pay in a timely fashion.”

Pfizer did not immediately respond to Fierce Pharma’s request for comment.

In its letter to employees, meanwhile, Pfizer said those who were overpaid could return the money over one, three or six months. “Please be assured that money will not be taken from your paycheck without prior notification,” the company added.

To compensate employees for their trouble, Pfizer also said it’s offering $250 to those affected by the Kronos outage—however, if the employee was overpaid, that amount will be deducted from the balance they owe.

One employee told the channel they owed more than $800 in overpayment, while another said the issue was affecting hourly workers across the company.

Pfizer isn’t the only corporation dealing with the fallout of last year’s cyberattack. Tesla and PepsiCo have filed a class-action lawsuit that contends Ultimate Kronos Group owes damages because it was negligent in guarding against an attack, Endpoints News points out.

While Pfizer’s experiencing some headache from this incident, it’s nothing like the Merck & Co. attack back in 2017. The New Jersey pharma was just one of many global companies hit by the Russian military-linked strike in June of that year.

The cyber assault hamstrung Merck’s in-house API production and affected its formulation and packaging systems, plus R&D and other operations.

Merck and its insurers are still fighting over more than $1 billion in losses from the attack, though the company in January notched a win when its insurers lost a bid to exclude the so-called NotPetya incident under an “act of war” exclusion.

The insurers’ rationale? The attack originated from the Russian government as part of its hostility toward Ukraine. Merck, for its part, took the opposite stance, and a New Jersey judge agreed, concluding the act of war exclusion doesn’t apply since it’s intended for actual armed conflict.

Separately, numerous COVID-19 players, Pfizer included, were swept up in a spate of breaches and cyberattacks in 2020. Moderna, AstraZeneca and BioNTech were among those affected, with coronavirus vaccine data often a prime target.