Clorox sues Cognizant over 2023 data breach, citing contractor negligence

Clorox, the American cleaning products giant, has sued its IT help desk contractor, Cognizant, alleging the company’s negligence directly enabled a 2023 cyber attack that caused hundreds of millions in damages.

 

On July 22, Clorox sued Cognizant in a California state court, claiming the company gave hackers access to its network by handing over crucial login information without proper checks. In fact, Clorox said that Cognizant’s actions and failures were the direct cause of the August 2023 cyberattack that caused major disruptions to its operations.

 

In August 2023, Clorox, in a filing with the U.S. Securities and Exchange Commission, said that it identified unauthorised activity in some of its internal systems. While Clorox confirmed that the security incident was contained, the cyber attack damaged portions of the company’s IT infrastructure, which caused large scale disruption to Clorox’s operations.

 

According to court documents, the cleaning products giant suffered a damage of $380 million resulting from the cyber security incident and demanded Cognizant to cover that amount along with punitive damages.

 

“Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques. The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox’s network, and Cognizant handed the credentials right over. Cognizant is on tape handing over the keys to Clorox’s corporate network to the cybercriminal – no authentication questions asked:

 

Cybercriminal: I don’t have a password, so I can’t connect.

 

Cognizant Agent: Oh, ok. Ok. So let me provide the password to you ok?

 

Cybercriminal: Alright. Yep. Yeah, what’s the password?

 

Cognizant Agent: Just a minute. So it starts with the word "Welcome…” reads the court document.

 

In a statement shared with the Recorded Future News, a spokesperson for Cognizant shifted the allegations on Clorox stating that its “shocking that a corporation the size of Clorox had such an inept internal cybersecurity system to mitigate this attack.” 

 

“Clorox has tried to blame us for these failures, but the reality is that Clorox hired Cognizant for a narrow scope of help desk services which Cognizant reasonably performed. Cognizant did not manage cybersecurity for Clorox,” the spokesperson added.