- Clorox 2023 breach happened when a threat actor impersonated an employee and had their credentials reset
- Clorox argues Cognizant did not follow standard procedures
- Cognizant says cybersecurity wasn’t its job to begin with
Clorox is suing its IT service provider Cognizant following a 2023 ransomware attack which cost the firm millions of dollars in damages.
Recently filed with the Superior Court of California, the lawsuit says Cognizant is being sued for breach of contract, breach of the covenant of good faith and fair dealing, gross negligence, and intentional misrepresentation.
Back in 2013, Cognizant was contracted to operate Clorox’s employee service desk, which included tasks such as password recovery, credential resets, and IT support for staffers. In 2023, a cybercriminal called a Cognizant employee on the phone, said they were a Clorox employee, and asked for a password and multi-factor authentication (MFA) recovery, since they lost access to their account.
Whose job is it, anyway?
In the filing, Clorox argues the Cognizant employee complied without following established procedures on identity verification, providing alleged transcripts of phone calls between the attacker and the Cognizant employee which allegedly prove the password reset was granted on the spot.
Once the attackers gained access, they reset MFA tokens, changed phone numbers linked to SMS authentication, disabled cybersecurity tools, and exfiltrated sensitive files from the system.
As a result, Clorox had to shut down its systems, pause manufacturing, and rely on manual order processing for weeks. This allegedly resulted in hundreds of millions of dollars in lost sales and reputational damage.
Clorox is now seeking $49 million in direct remediation damages, as well as $380 million in total damages.
In response to the lawsuit, Cognizant told the press it wasn’t their job to defend the IT network from attacks.
Speaking to BleepingComputer, a company spokesperson said: “It is shocking that a corporation the size of Clorox had such an inept internal cybersecurity system to mitigate this attack. Clorox has tried to blame us for these failures, but the reality is that Clorox hired Cognizant for a narrow scope of help desk services which Cognizant reasonably performed. Cognizant did not manage cybersecurity for Clorox.”
