Clorox sues Cognizant for "giving away" passwords which led to major breach

News
By published

Clorox is suing Cognizant for "gross negligence" following cyberattack

Avast cybersecurity
(Image credit: Avast)
  • Clorox 2023 breach happened when a threat actor impersonated an employee and had their credentials reset
  • Clorox argues Cognizant did not follow standard procedures
  • Cognizant says cybersecurity wasn't its job to begin with

Clorox is suing its IT service provider Cognizant following a 2023 ransomware attack which cost the firm millions of dollars in damages.

Recently filed with the Superior Court of California, the lawsuit says Cognizant is being sued for breach of contract, breach of the covenant of good faith and fair dealing, gross negligence, and intentional misrepresentation.

Back in 2013, Cognizant was contracted to operate Clorox’s employee service desk, which included tasks such as password recovery, credential resets, and IT support for staffers. In 2023, a cybercriminal called a Cognizant employee on the phone, said they were a Clorox employee, and asked for a password and multi-factor authentication (MFA) recovery, since they lost access to their account.

Whose job is it, anyway?

In the filing, Clorox argues the Cognizant employee complied without following established procedures on identity verification, providing alleged transcripts of phone calls between the attacker and the Cognizant employee which allegedly prove the password reset was granted on the spot.

Once the attackers gained access, they reset MFA tokens, changed phone numbers linked to SMS authentication, disabled cybersecurity tools, and exfiltrated sensitive files from the system.

As a result, Clorox had to shut down its systems, pause manufacturing, and rely on manual order processing for weeks. This allegedly resulted in hundreds of millions of dollars in lost sales and reputational damage.

Clorox is now seeking $49 million in direct remediation damages, as well as $380 million in total damages.

In response to the lawsuit, Cognizant told the press it wasn’t their job to defend the IT network from attacks.

Speaking to BleepingComputer, a company spokesperson said: "It is shocking that a corporation the size of Clorox had such an inept internal cybersecurity system to mitigate this attack. Clorox has tried to blame us for these failures, but the reality is that Clorox hired Cognizant for a narrow scope of help desk services which Cognizant reasonably performed. Cognizant did not manage cybersecurity for Clorox."

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.