Clorox Sues Cognizant for $380M Over Help Desk Hack in Cyberattack
▼ Summary
– Clorox is suing Cognizant for gross negligence, alleging it enabled a 2023 cyberattack by resetting an employee’s password for a hacker without identity verification.
– The attack, linked to Scattered Spider, used social engineering to breach Clorox via Cognizant’s IT service desk, which handled password resets.
– Cognizant allegedly failed to follow verification procedures, resetting credentials and MFA for hackers, granting them access to Clorox’s network and IT security accounts.
– The cyberattack disrupted Clorox’s operations, causing manufacturing halts, product shortages, and reputational damage, with Clorox seeking $49 million in direct damages.
– Cognizant disputes the claims, stating it was only responsible for limited help desk services and blaming Clorox’s internal cybersecurity failures.
Clorox has filed a $380 million lawsuit against Cognizant, accusing the IT services provider of gross negligence in a cyberattack that disrupted operations and caused significant financial losses. The legal complaint alleges that Cognizant’s failure to follow basic security protocols allowed hackers to infiltrate Clorox’s systems through a social engineering scheme in August 2023.
The breach reportedly involved hackers impersonating Clorox employees to trick Cognizant’s help desk into resetting passwords and multi-factor authentication (MFA) credentials. According to court documents, the attackers called multiple times, posing as legitimate employees, yet Cognizant allegedly bypassed identity verification procedures each time. This lapse granted the hackers access to critical systems, including those of an IT security employee, escalating the breach further.
Clorox claims the attack paralyzed its corporate network, forcing manufacturing shutdowns and leading to widespread product shortages. The company also criticized Cognizant’s response efforts, describing them as slow and ineffective, with untrained personnel exacerbating the damage. The lawsuit highlights a breach of contract, gross negligence, and misrepresentation regarding staff training on security protocols.
Cognizant, however, disputes the allegations, arguing that its role was limited to help desk services and that Clorox’s own cybersecurity shortcomings were to blame. A spokesperson stated that the company performed its duties reasonably and was not responsible for broader security management.
The incident underscores the growing threat of social engineering attacks, particularly by groups like Scattered Spider, which have targeted major retailers and corporations. Clorox is seeking $49 million in direct damages and an additional $331 million in total compensation for lost revenue and reputational harm.
As cyber threats evolve, this case serves as a stark reminder of the importance of stringent identity verification and robust incident response plans. Businesses must ensure third-party vendors adhere to strict security standards to prevent similar breaches.
(Source: Bleeping Computer)
