Clorox is suing its service desk provider, Cognizant, for $380 million in a California state court, alleging the IT support crew "enabled a cybercriminal to gain a foothold in Clorox's network" by handing over staffers' passwords to attackers after they simply requested them.

Clorox cleans up IT security breach that soaked its biz ops [1]READ MORE

Clorox filed a complaint yesterday alleging breach of contract and negligence, among other things, and claimed Cognizant's "failures" ultimately led to a " [2]catastrophic cyberattack " against the bleach maker in 2023, which it claims caused "devastating disruptions to Clorox's systems and operations." You can read the partially redacted 19-page complaint [PDF] [3]here .

According to the lawsuit, Cognizant operated a service desk for Clorox and provided IT support for Clorox staffers, "including employee credential recovery when needed." It adds the pair first signed a contract more than a decade ago, in 2013, with updates to the services agreement along the way.

The bleach maker is claiming Cognizant failed to follow its "straightforward procedures" for providing credential recovery or reset assistance.

Clorox alleges in the suit that its internal service desk manager requested an updated credential support procedure in February 2023, several months before the August 2023 cyberattack, and after some pestering, claims that Cognizant's Service Desk Lead "responded and confirmed that the credential support procedures action item had been completed with the comment 'Educated the team,' in past tense."

[4]

"Cognizant Agents' calls with the cybercriminal exposed that this was a blatant lie," the complaint goes on to allege.

[5]

[6]

The filing claims:

Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques. The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox's network, and Cognizant handed the credentials right over . Cognizant is on tape handing over the keys to Clorox's corporate network to the cybercriminal – no authentication questions asked:

Cybercriminal: I don't have a password, so I can't connect.

Cognizant Agent: Oh, ok. Ok. So let me provide the password to you ok?

Cybercriminal: Alright. Yep. Yeah, what's the password?

Cognizant Agent: Just a minute. So it starts with the word "Welcome…"

According to the suit, Clorox's updated procedures for responding to network credential support requests meant that, upon receiving a network password reset request from a Clorox employee, service agents were supposed to "guide the employee toward using Clorox's verification and self-reset password tool, MyID; or if MyID was not available, to verify the employee's identity by (a) manager name and MyID user name before resetting the employee's password, along with (b) required confirmation emails to the employee's Clorox email account and to the relevant manager after a reset."

The company alleges these weren't followed during the attack, claiming an agent working at Cognizant's Service Desk reset access "for Okta," the identity management tool Clorox used to authenticate access to its network, when an attacker called posing as the staffer on August 11, 2023. Clorox claims the service agent asked the attacker to connect to Clorox's VPN, but the intruder allegedly protested they couldn't without a password. The filing claims the service agent then reset the Okta access without any further questioning or identity verification, "in direct violation of Clorox's credential support procedures."

The attacker then asked to have their Microsoft MFA credentials reset, which the service agent allegedly did "multiple times without any identity verification at all."

[7]

Clorox further alleges in the filing that "at no point did the Agent send the required emails to the employee or the employee's manager to alert them of the password reset."

The lawsuit claims the attacker also asked to reset the phone number associated with that staffer – the complaint calls them "Employee 1" – for SMS MFA.

Clorox alleges: "The cybercriminal used Employee 1's compromised credentials to log into and gather information from the Clorox network. The cybercriminal then was able to target the credentials of Employee 2, who worked in IT security."

[8]Cyber-crooks slip into Vans, trample over operations

[9]Clorox CISO flushes self after multimillion-dollar cyberattack

[10]The Clorox Company admits cyberattack causing 'widescale disruption'

[11]Clorox cleans up IT security breach that soaked its biz ops

Despite managing to flush the attacker from its environment "within three hours from the cybercriminal's initial activity," Clorox claims the cyberattack caused "devastating" disruptions to its operations after it had to yank its systems offline to avoid further escalation, which meant it had to pause manufacturing, and rely on manual order processing methods for "weeks," resulting in product shortages for customers and "significant lost sales."

It also took its IT support partner to task for its post-incident response, alleging that when Clorox urgently requested that Cognizant reinstall a "critical cybersecurity tool that the cybercriminal had uninstalled... Cognizant took over an hour to complete a task that should have taken less than 15 minutes." It further claims that database recovery, IP address lists, and account shutdowns weren't handled properly. It's seeking $380 million in damages and a jury trial.

[12]

The $16 billion market cap bleach maker made $7 billion in revenues [13]last year , and its brand encompasses everything from ubiquitous disinfectant to charcoal briquettes, cat litter, and trash bags, to Hidden Ranch salad dressing.

The Register asked Cognizant to comment on the lawsuit and a spokesperson sent us a statement:

"It is shocking that a corporation the size of Clorox had such an inept internal cybersecurity system to mitigate this attack. Clorox has tried to blame us for these failures, but the reality is that Clorox hired Cognizant for a narrow scope of help desk services which Cognizant reasonably performed. Cognizant did not manage cybersecurity for Clorox." ®

Get our [14]Tech Resources



[1] https://www.theregister.com/2023/08/15/clorox_cleans_up_security_breach/

[2] https://www.theregister.com/2023/09/19/the_clorox_company_admits_cyber/

[3] https://www.documentcloud.org/documents/26025404-clorox-versus-cognizant-complaint/

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aIZNPwjFu5hWFzbG10lXoQAAABY&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aIZNPwjFu5hWFzbG10lXoQAAABY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aIZNPwjFu5hWFzbG10lXoQAAABY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aIZNPwjFu5hWFzbG10lXoQAAABY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[8] https://www.theregister.com/2023/12/18/vf_vans_cybersecurity_incident/

[9] https://www.theregister.com/2023/11/16/clorox_ciso_washes_out/

[10] https://www.theregister.com/2023/09/19/the_clorox_company_admits_cyber/

[11] https://www.theregister.com/2023/08/15/clorox_cleans_up_security_breach/

[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aIZNPwjFu5hWFzbG10lXoQAAABY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[13] https://investors.thecloroxcompany.com/financial-reporting/annual-reports/default.aspx

[14] https://whitepapers.theregister.com/