{"id":4090,"date":"2025-07-23T12:02:28","date_gmt":"2025-07-23T12:02:28","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4090"},"modified":"2025-07-23T12:02:28","modified_gmt":"2025-07-23T12:02:28","slug":"clorox-sues-cognizant-for-380m-over-alleged-helpdesk-failures-in-cyberattack","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4090","title":{"rendered":"Clorox sues Cognizant for $380M over alleged helpdesk failures in cyberattack"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

US bleach and cleaning product giant Clorox has filed a $380 million lawsuit against IT services provider Cognizant, alleging the company\u2019s helpdesk staff handed over network passwords to cybercriminals who simply called and asked for them, no questions asked.<\/p>\n

The complaint filed Tuesday in Alameda County Superior Court includes actual recorded conversations that reveal the stunning simplicity of the August 2023 attack that resulted in $380 million in damages to the consumer goods company.<\/p>\n

\u201cCognizant was not duped by any elaborate ploy or sophisticated hacking techniques,\u201d the lawsuit stated<\/a>. \u201cThe cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox\u2019s network, and Cognizant handed the credentials right over.\u201d<\/p>\n

\u2018What\u2019s the password?\u2019 \u2018Welcome\u2026\u2019<\/strong><\/h2>\n

The lawsuit includes verbatim transcripts showing how easily attackers obtained access to Clorox\u2019s network. In one exchange that epitomizes the security breakdown, a cybercriminal simply stated they couldn\u2019t connect without a password.<\/p>\n

\u201cI don\u2019t have a password, so I can\u2019t connect,\u201d the attacker said.<\/p>\n

\u201cOh, ok. Ok. So let me provide the password to you ok?\u201d the Cognizant agent replied immediately, then proceeded to give the password starting with \u201cWelcome\u2026\u201d<\/p>\n

This pattern repeated throughout August 11, 2023, with cybercriminals successfully obtaining password resets, multi-factor authentication<\/a> resets, and even phone number changes for SMS authentication \u2014 all without providing employee identification numbers, manager names, or any other verification.<\/p>\n

\u201cThe breach wasn\u2019t caused by malware or zero-days<\/a>, but by the absence of basic verification,\u201d said Sanchit Vir Gogia<\/a>, chief analyst at Greyhound Research. \u201cEnterprises must no longer equate outsourcing with abdication.\u201d<\/p>\n

Attack attributed to social engineering specialists<\/h2>\n

The cyberattack in 2023 was attributed to Scattered Spider<\/a>, a cybercriminal group known for sophisticated social engineering campaigns targeting IT helpdesks. However, in this case, the attackers succeeded through remarkably basic tactics rather than advanced technical methods.<\/p>\n

\u201cScattered Spider\u2019s success with a plain \u2018please reset my password\u2019 call confirms that threat actors will always try the lowest-effort social engineering first and escalate to voice-cloning or deepfakes only if simple tricks fail,\u201d said Prabhjyot Kaur<\/a>, senior analyst at Everest Group.<\/p>\n

The legal filing detailed how attackers used identical approaches to systematically compromise multiple Clorox employees\u2019 accounts. After gaining initial access through one employee\u2019s credentials, they called back multiple times on the same day to reset the same employee\u2019s MFA credentials, with Cognizant agents complying each time without questioning the unusual pattern.<\/p>\n

\u201cIt is shocking that a corporation the size of Clorox had such an inept internal cybersecurity system to mitigate this attack,\u201d said a Cognizant spokesperson. \u201cClorox has tried to blame us for these failures, but the reality is that Clorox hired Cognizant for a narrow scope of help desk services which Cognizant reasonably performed. Cognizant did not manage cybersecurity for Clorox.\u201d<\/p>\n

Systematic training failures despite assurances<\/h2>\n

The security breakdowns occurred despite Clorox providing comprehensive procedures specifically designed to prevent such attacks, the lawsuit added. The further said that Clorox\u2019s internal Service Desk manager held weekly meetings with Cognizant team leaders and repeatedly sought confirmation that updated security procedures had been implemented.<\/p>\n

In February 2023, a Cognizant Service Desk Lead confirmed training completion with the comment \u201cEducated the team.\u201d However, the August attack exposed these assurances as false.<\/p>\n

\u201cThe Cyberattack exposed the fact that this was all a devastating lie,\u201d the lawsuit stated. \u201cIf Cognizant had properly trained its Service Desk staff on Clorox\u2019s policies and procedures or basic industry standards, the Cyberattack never would have happened.\u201d<\/p>\n

Beyond the initial breach, Cognizant\u2019s failures continued during the incident response. When Clorox detected the intrusion within three hours, the lawsuit alleges that Cognizant took over an hour to reinstall a critical cybersecurity tool that should have taken 15 minutes, and provided incorrect IP address lists that resulted in an eight-hour delay in containment measures.<\/p>\n

\u201cThe cyberattack forced Clorox to take systems offline, pause manufacturing, and rely on manual order processing for weeks,\u201d it said. The cyberattack caused Clorox about $380 million in damages, including over $49 million in remedial costs, and \u201chundreds of millions of dollars in business interruption losses,\u201d the lawsuit claimed.<\/p>\n

Legal implications for vendor accountability<\/h2>\n

\u201cThis lawsuit may shift breach response from an operational process to a legal calculus \u2014 transforming how enterprises negotiate liability, assign contractual burden, and architect resilience,\u201d Gogia explained.<\/p>\n

Clorox\u2019s complaint included four causes of action: breach of contract, breach of good faith and fair dealing, gross negligence, and intentional misrepresentation. The gross negligence claim characterizes Cognizant\u2019s conduct as \u201can extreme departure from the ordinary standard of care.\u201d<\/p>\n

\u201cThe Clorox suit shows that an outsourced helpdesk can become a single point of catastrophic failure, so enterprises should govern it like any other critical control,\u201d Kaur noted. She recommends that contracts should mandate \u201czero-trust reset processes\u201d with multi-factor verification and supervisor co-approval for credential changes.<\/p>\n

\u201cClorox is claiming $380 million in damages, illustrating how vendor lapses can dwarf the liability caps still common in IT outsourcing,\u201d Kaur added. She recommended enterprises model third-party cyber failures as a top-five enterprise exposure.<\/p>\n

For enterprise security leaders, the case serves as a stark reminder that human verification processes require the same rigor as technical security controls, with contracts that specify operational requirements rather than abstract service-level agreements.<\/p>\n

Clorox did not respond to requests for comment.<\/p>\n

More on cyberattacks and breaches:<\/p>\n

The 20 biggest data breaches of the 21st century<\/a><\/p>\n

6 hard-earned tips for leading through a cyberattack \u2014 from CSOs who\u2019ve been there<\/a><\/p>\n

Best and worst data breach responses highlight the do\u2019s and don\u2019ts of IR
<\/a><\/p>\n

><\/p><\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

US bleach and cleaning product giant Clorox has filed a $380 million lawsuit against IT services provider Cognizant, alleging the company\u2019s helpdesk staff handed over network passwords to cybercriminals who simply called and asked for them, no questions asked. The complaint filed Tuesday in Alameda County Superior Court includes actual recorded conversations that reveal the […]<\/p>\n","protected":false},"author":0,"featured_media":4079,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4090","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4090"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4090"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4090\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4079"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4090"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4090"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4090"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}