Cleaning products giant Clorox has filed a lawsuit against IT services provider Cognizant, accusing the company of making it easy for hackers to breach its systems in the 2023 cyberattack.
Clorox is seeking $380 million from Cognizant, which includes $49 million in remedial costs — this amount was previously reported by Clorox — and hundreds of millions of dollars in losses caused by business interruption.
The cybersecurity incident came to light in August 2023, when Clorox reported shutting down some systems in response to a hacker attack. The company later said the damaging cyberattack caused significant disruptions to its operations, which led to product shortages.
While it has not been confirmed, the attack was linked at the time to the notorious Scattered Spider cybercrime group, which has recently been once again highly active. Several alleged members of the gang have been arrested and prosecuted over the past year.
In the complaint against Cognizant (courtesy of Dark Web Informer), Clorox said the company had provided support services, including for recovering and resetting passwords.
Clorox said Cognizant employees did not follow established procedures and failed to authenticate the individuals requesting password recovery or reset assistance.
The cleaning products firm has shared some of the conversations between the hackers and Cognizant staff, and they apparently show that the cybercriminals were indeed easily handed over the credentials they requested.
Clorox said Congizant employees — over several calls — reset passwords associated with Okta access, and helped the attackers reset multi-factor authentication (both Okta and Microsoft MFA), without verifying the alleged caller’s identity.
“Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques. The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox’s network, and Cognizant handed the credentials right over,” Clorox alleges in the lawsuit.
While Clorox claims that Cognizant had been tasked with helping “guard the proverbial front door”, the IT services provider said in a statement to the media that it had not been in charge of Clorox’s cybersecurity.
“It is shocking that a corporation the size of Clorox had such an inept internal cybersecurity system to mitigate this attack,” Cognizant said. “Clorox has tried to blame us for these failures, but the reality is that Clorox hired Cognizant for a narrow scope of help desk services which Cognizant reasonably performed. Cognizant did not manage cybersecurity for Clorox.”
Related: Settlement Reached in Investors’ Lawsuit Against Meta CEO Mark Zuckerberg and Other Company Leaders
Related: Google Agrees to $1.3 Billion Settlement in Texas Privacy Lawsuits
Related: T-Mobile Coughed Up $33 Million in SIM Swap Lawsuit
