Clorox Sues Cognizant Over Password Failures in 2023 Cyberattack

Clorox has filed a lawsuit against Cognizant, its information technology provider, following a major cyberattack in August 2023 that led to $380 million in damages. According to Clorox, the breach occurred because Cognizant support staff handed over network credentials to a hacker who simply called and asked for them. The lawsuit, filed in California state court, accuses Cognizant of failing to implement basic verification procedures, such as confirming the identity of the caller.

The attack was attributed to Scattered Spider, a group known for targeting corporate IT help desks using social engineering tactics. Clorox alleges that the intrusion was not the result of sophisticated hacking but rather a straightforward exploitation of lax support protocols. Included in the lawsuit are partial transcripts of the interactions between Cognizant staff and the attacker, showing password resets were granted without standard security checks.

Clorox further claims the situation was worsened by additional failures on Cognizant’s part, including not deactivating compromised accounts and improperly restoring data during recovery. These missteps reportedly prolonged disruptions in Clorox’s ability to ship products and meet customer demand. While Cognizant has yet to comment publicly, the lawsuit underscores the high stakes of third-party IT security management in today’s threat landscape.

The incident raises serious questions about vendor accountability and security training within enterprise support systems. Industry experts note that while Scattered Spider is known for persistence, the ease of access in this case points more to negligence than sophisticated tactics. Clorox’s suit may set a precedent for future litigation over service desk security lapses.