In a significant legal move, The Clorox Company has initiated a $380 million lawsuit against its IT service provider, Cognizant Technology Solutions. The lawsuit centers on allegations that Cognizant’s help-desk personnel inadvertently granted cybercriminals access to Clorox’s network during a security breach in August 2023. This breach led to substantial operational disruptions and prolonged product shortages.
Background of the Incident
In August 2023, Clorox, a leading manufacturer of household goods, experienced a severe cyberattack attributed to the hacking group known as Scattered Spider. This group is notorious for employing social engineering tactics to deceive IT help desks into providing unauthorized access. The breach had far-reaching consequences, including the paralysis of manufacturing lines, a shift to manual order processing, and significant financial losses.
Details of the Lawsuit
The 87-page complaint, filed in Alameda County Superior Court, accuses Cognizant’s help-desk agents of repeatedly resetting passwords and multi-factor authentication (MFA) tokens for individuals impersonating Clorox employees. Alarmingly, these resets were performed without any security verification. Transcripts included in the lawsuit reveal instances where agents provided passwords without questioning the caller’s identity. For example, one agent responded, Let me provide the password to you, after the caller claimed an inability to log in.
Clorox asserts that it had established strict protocols for credential resets, including verifying a manager’s name and sending confirmation emails. The company alleges that Cognizant falsely assured them that their staff had been trained on these protocols months before the breach. The complaint emphasizes, Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques. The cybercriminal just called… and Cognizant handed the credentials right over.
Financial and Operational Impact
The cyberattack had a profound impact on Clorox’s operations and financial standing. The company reported approximately $49 million in remediation costs and hundreds of millions in lost sales due to the disruption. In its SEC filings, Clorox disclosed that the breach led to a significant decline in quarterly sales, with shares dropping over 25% in the weeks following the incident, resulting in a loss of billions in market value.
Cognizant’s Response
Cognizant, a global IT services provider with nearly $20 billion in revenue in 2024, has denied the allegations. A company spokesperson stated, Clorox hired Cognizant for a narrow scope of help-desk services, which Cognizant reasonably performed. We will vigorously defend against these baseless allegations.
Broader Implications
This lawsuit underscores the critical importance of stringent security protocols, especially for outsourced IT services. Similar help-desk exploits have affected other major companies, such as MGM Resorts, highlighting a pervasive vulnerability in relying on external support desks. The case is expected to influence contracting standards between large corporations and their IT service providers, potentially leading to stricter authentication requirements and more severe penalties for non-compliance.
Conclusion
As Clorox works to rebuild its networks and return to automated order processing, the lawsuit against Cognizant serves as a stark reminder of the potential consequences of lapses in cybersecurity practices. The outcome of this case could have significant ramifications for how companies manage and secure their IT support services in the future.
