Clorox Initiates a $380 Million Lawsuit, Alleging Cognizant as the Perpetrator for the 2023 Cyber Breach Incident
In August 2023, household goods manufacturer Clorox experienced a significant cyberattack that disrupted its ability to ship core products for months. The attack, attributed to the notorious hacking group Scattered Spider, has cost Clorox approximately $380 million, including around $49 million in direct remediation costs.
The breach occurred through a social-engineering attack targeting Cognizant's Clorox service desk. Attackers impersonated locked-out employees, successfully obtaining password resets and multi-factor authentication bypasses due to Cognizant staff failing to follow proper verification procedures. This allowed the attackers to gain domain administrator privileges, deploy ransomware, and ultimately disrupt Clorox’s manufacturing, distribution, and IT systems.
Clorox has filed a lawsuit against Cognizant in California Superior Court, accusing the IT services company of negligence. The lawsuit portrays Cognizant as responsible for giving hackers "the keys to Clorox’s corporate network" by handing over credentials without proper authentication and botching the incident response, which prolonged recovery time and exacerbated losses. Clorox emphasized that it had provided Cognizant straightforward protocols for verification, which were ignored, culminating in a "catastrophic cyberattack."
Cognizant has responded by denying responsibility for the breach, asserting that their role was limited to help desk services and that the blame is misplaced on them rather than on Clorox’s security systems. They argue that they performed their services correctly and that Clorox’s internal cybersecurity weaknesses were the primary cause of the attack.
The lawsuit includes call recordings as evidence of Cognizant's alleged negligence. Clorox's external counsel, Mary Rose Alexander, claims Cognizant handed over the keys to Clorox's corporate network to the hackers recklessly. Scattered Spider specializes in social-engineering attacks, using techniques like voice phishing to trick IT help desks, and the attack on Clorox used methods to bypass users' multifactor-authentication protections.
This case highlights the importance of proper authentication and secure management of IT systems. It also underscores the evolving role of Chief Information Security Officers (CISOs), who are increasingly tasked with better understanding the risk calculus of their technology stacks, answering the question: Are we a target?
The group has repeatedly struck targets in the retail, insurance, and airline industries over the past several months. Cognizant criticized Clorox for the lawsuit, stating questions remain about Clorox's own internal cybersecurity protocols. The lawsuit by Clorox against Cognizant is a response to the financial and operational losses incurred due to the cyberattack.
References:
- Clorox Sues Cognizant Over 2023 Cyberattack
- Clorox Files Lawsuit Against Cognizant Over 2023 Cyberattack
- Cognizant Responds to Clorox's Lawsuit Over 2023 Cyberattack
- Scattered Spider Claimed Responsibility for Clorox Cyberattack
- The cyberattack on Clorox in August 2023, which incurred significant financial losses, was perpetrated by the notorious hacking group Scattered Spider, known for their social-engineering tactics like voice phishing that target IT help desks.
- The lawsuit filed by Clorox against Cognizant in California Superior Court alleges that Cognizant's negligence led to the breach, as they handed over credentials without proper authentication and mishandled the incident response, thereby prolonging the recovery time and increasing losses.
- This case serves as a warning for the cybersecurity industry, emphasizing the importance of proper authentication and secure management of IT systems, particularly in the face of evolving threats like those posed by Scattered Spider, which has been active in the finance, technology, retail, insurance, and airline sectors.
