Clorox Sues Vendor Over $380M Hack Due to Password Mishandling
▼ Summary
– Hackers easily breached Clorox’s network by calling the IT service desk and obtaining password and MFA resets without identity verification.
– The attackers impersonated an employee and later an IT security staffer, gaining access to plant ransomware or steal data, causing $380 million in damage.
– Clorox claims the breach occurred because its outsourced IT provider, Cognizant, failed to follow basic security procedures for handling service desk requests.
– A lawsuit alleges Cognizant’s negligence, stating it handed over network credentials without authentication and lacked proper employee training.
– Cognizant managed Clorox’s IT service desk for a decade, handling password resets and MFA requests, but failed to secure access effectively.
Cyberattacks often exploit human vulnerabilities rather than technical flaws, as demonstrated by a recent high-profile case involving household products giant Clorox. The company alleges that a $380 million security breach occurred due to shockingly lax authentication practices by its IT vendor, Cognizant.
The attack unfolded with startling simplicity. Hackers reportedly contacted Clorox’s IT service desk, managed by Cognizant, posing as employees. Without verifying identities, the service desk granted password resets and multifactor authentication (MFA) overrides for both Okta and Microsoft accounts. Armed with these credentials, the attackers impersonated an IT security employee, gaining deeper network access to deploy ransomware and steal sensitive data.
Clorox claims Cognizant violated contractual security protocols, describing the vendor’s actions as negligent and reckless. A lawsuit filed by Clorox states that Cognizant employees lacked proper training, enabling the breach through careless credential distribution. “The cybercriminal didn’t need sophisticated hacking methods,” the complaint emphasizes. “They simply called, asked for access, and Cognizant handed it over, no verification required.”
For a decade, Cognizant had managed Clorox’s service desk, handling routine access requests like VPN setups and MFA resets. Yet basic safeguards, such as identity confirmation, were allegedly ignored. The incident highlights how third-party vendors can become critical vulnerabilities if security practices aren’t rigorously enforced.
While cyber defenses often focus on firewalls and encryption, this breach underscores a harsh reality: human oversight remains the weakest link. Companies relying on external IT providers must ensure stringent verification processes are followed, because sometimes, all it takes is a phone call to bypass millions in security investments.
(Source: Ars Technica)
