A years-old ransomware attack is back in the spotlight as State Street Bank takes aim at its former human resources software provider in the Kronos Data Breach $27.6M suit, filed Friday in Massachusetts state court.
The financial services giant alleges that UKG Kronos failed to properly respond to a 2021 cyberattack that crippled payroll systems, exposed employee data and left State Street entangled in regulatory risks across 22 countries.
Alleged Breach of Master Services Agreement
The complaint, lodged in Suffolk County Superior Court, contends that UKG Kronos’ handling of the breach violated a 2015 master services agreement between the companies.
According to the filing, the ransomware incident compromised employees’ personal information and effectively locked approximately 85% of State Street’s global workforce out of UKG Kronos systems for 23 months — nearly two years of operational disruption.
Without access to core HR functions, including reporting overtime, tracking hours worked, managing paid time off and processing leave requests, State Street says it could not meet regulatory reporting obligations in most of the 22 nations where it operates.
The fallout, the bank argues, went far beyond inconvenience. It exposed the institution to legal and compliance risks on multiple fronts.
