In a significant legal move, The Clorox Company has initiated a lawsuit against its former IT service provider, Cognizant, seeking $380 million in damages. The lawsuit, filed in the California Superior Court on July 22, 2025, alleges that Cognizant’s gross negligence facilitated a devastating cyberattack in August 2023, which severely disrupted Clorox’s operations and led to substantial financial losses.
Background of the Cyberattack
In August 2023, Clorox, a leading manufacturer of cleaning products, experienced a cyberattack that forced the company to shut down several systems, resulting in significant operational disruptions and product shortages. The attack was attributed to the cybercriminal group known as Scattered Spider, notorious for employing social engineering tactics to infiltrate corporate networks.
Allegations Against Cognizant
Clorox’s lawsuit centers on the claim that Cognizant’s help desk personnel failed to adhere to established security protocols, thereby enabling the cyberattack. According to the complaint, hackers impersonated Clorox employees and contacted Cognizant’s service desk, requesting password resets and multi-factor authentication (MFA) resets. The service desk agents allegedly complied without conducting proper identity verification, such as requesting employee identification numbers or confirming managerial approval.
The lawsuit includes transcripts of these interactions, highlighting the ease with which the attackers obtained access. In one instance, a hacker stated, I don’t have a password, so I can’t connect, to which the Cognizant agent responded, Oh, OK. OK. So let me provide the password to you OK? This exchange underscores the alleged lack of basic security measures in place at the time.
Financial Impact on Clorox
The cyberattack had a profound financial impact on Clorox. The company reported incurring $49 million in costs related to the incident by the end of 2023. These expenses encompassed third-party consulting services for IT recovery and forensics, as well as incremental operating expenses due to system disruptions. Additionally, Clorox faced hundreds of millions of dollars in business interruption losses, as the attack paralyzed its corporate network, halted manufacturing, and led to significant product shortages.
Cognizant’s Response
In response to the lawsuit, Cognizant has criticized Clorox, suggesting that the company’s internal cybersecurity measures were inadequate. A statement from Cognizant reads, It is shocking that a corporation the size of Clorox had such an inept internal cybersecurity system to mitigate this attack. Clorox has tried to blame us for these failures, but the reality is that Clorox hired Cognizant for a narrow scope of help desk services which Cognizant reasonably performed. Cognizant did not manage cybersecurity for Clorox.
Legal Implications and Industry Reactions
The lawsuit raises critical questions about vendor accountability and the responsibilities of third-party service providers in maintaining cybersecurity. Clorox’s complaint includes causes of action for breach of contract, breach of good faith and fair dealing, gross negligence, and intentional misrepresentation. The gross negligence claim characterizes Cognizant’s conduct as an extreme departure from the ordinary standard of care.
Industry experts have weighed in on the case, emphasizing the importance of stringent identity verification processes. Security expert Maxie Reynolds remarked that if the breach occurred simply by asking for passwords, it suggested negligence rather than sophisticated social engineering. This sentiment underscores the necessity for organizations to implement robust security protocols and ensure that third-party vendors adhere to them.
Conclusion
The Clorox lawsuit against Cognizant serves as a stark reminder of the potential consequences of lapses in cybersecurity protocols. As companies increasingly rely on third-party service providers, the need for comprehensive security measures and strict adherence to established procedures becomes paramount. The outcome of this case may have far-reaching implications for how organizations manage vendor relationships and safeguard against cyber threats.
