Cognizant Faces Lawsuit from Clorox Over 2023 Cyberattack
In a shocking development, America’s largest bleach manufacturer, Clorox, has filed a lawsuit against IT services provider Cognizant, alleging that the company’s employees provided critical network passwords to hackers during a 2023 cyberattack. The lawsuit, filed in the Superior Court of California, Alameda County, comes nearly two years after the devastating hack caused significant operational disruptions.
Details of the 2023 Cyberattack
According to the lawsuit, Clorox suffered approximately $380 million in damages, including around $50 million in remedial costs, while the rest was linked to the company’s inability to ship products to retailers following the attack. The hackers, identified as the group Scattered Spider, gained access to Clorox’s systems by contacting Cognizant’s service desk and requesting employee credentials.
Clorox alleges that:
- Cognizant employees handed over passwords without proper authentication.
- Hackers gained full access to Clorox’s network using straightforward social engineering tactics.
- Internal controls such as verifying employee ID or manager’s name were not followed, leading to a “catastrophic cyberattack.”
Partial transcripts included in the lawsuit reportedly show conversations where hackers simply asked for password resets, and Cognizant staff complied without verifying their identity.
Cognizant’s Response
In response, Cognizant stated that the company was only hired for help desk services, not full cybersecurity management.
Jeff DeMarrais, Cognizant’s Senior Vice President of Global Marketing, commented:
“It is shocking that a corporation the size of Clorox had such an inept internal cybersecurity system to mitigate this attack. Clorox has tried to blame us for these failures, but the reality is that Clorox hired Cognizant for a narrow scope of help desk services which Cognizant reasonably performed.”
Cognizant emphasized that the company did not manage cybersecurity for Clorox, and the alleged failure was related to internal security practices of Clorox itself.
Implications for Businesses
This lawsuit highlights the critical importance of robust cybersecurity protocols, even when third-party vendors provide support services. Companies are reminded to enforce:
- Strong authentication for all help desk requests
- Multi-factor verification before granting access
- Continuous monitoring of third-party access
Cybersecurity experts warn that social engineering attacks remain one of the most common vectors for corporate breaches, and relying solely on vendor discretion without internal checks can have costly consequences.
