Clorox Initiates a $380 Million Lawsuit, Alleging Cognizant as the Culprit Behind the 2023 Cyberattack
In a significant legal dispute, The Clorox Company has filed a lawsuit against Cognizant, the IT services provider that managed its help desk, for a cyberattack that took place in 2023. The attack, which cost Clorox an estimated $380 million, is believed to have been a social-engineering attack that targeted the company's IT infrastructure.
According to Mary Rose Alexander, outside counsel for The Clorox Company, Cognizant handed over the keys to Clorox's corporate network to a notorious cybercriminal group, Scattered Spider, during the attack. The hacking collective is known for social-engineering attacks, including voice phishing.
Clorox alleges that Cognizant repeatedly reset employee passwords and multifactor-authentication (MFA) credentials without proper verification, allowing attackers to escalate privileges, spread within the network, and paralyze Clorox's operations. This led to halted manufacturing, product shortages, and widespread business disruption.
The lawsuit, filed in California Superior Court, seeks $380 million in total damages, including approximately $49 million in direct remediation costs. Clorox accuses Cognizant of breach of contract, gross negligence, and intentional misrepresentation, claiming that Cognizant failed to safeguard Clorox's corporate systems and botched its response to the attack, prolonging the recovery time.
However, Cognizant denies responsibility for managing Clorox’s cybersecurity, stating that its contract covered only help desk services and that Clorox maintained an internal cybersecurity system. Cognizant's spokesperson called Clorox's cybersecurity "inept" and rejected claims that Cognizant failed in its duties.
The dispute illustrates significant conflict over responsibility for cybersecurity failures and the resulting severe operational and financial consequences for Clorox following the 2023 attack. The attack on Clorox is captured on call recordings, according to Mary Rose Alexander.
| Aspect | Clorox's Allegations | Cognizant's Position | |----------------------------|-------------------------------------------------------------------------------------|---------------------------------------------------| | Cause of breach | Help desk staff improperly reset passwords and MFAs, enabling attackers' access | Contract limited to help desk; cybersecurity managed by Clorox internally | | Impact on Clorox | Paralyzed corporate network, halted manufacturing, caused product shortages | Blames Clorox’s internal cybersecurity deficiencies | | Damages sought | $380 million total (including $49 million remediation costs) | Disputes responsibility | | Incident response quality | Botched and compounded damage due to incompetence | Claims performed contracted help desk services reasonably |
This dispute highlights the importance of robust cybersecurity measures and the potential consequences of negligence in this critical area. The case is ongoing, and further developments are expected in the coming months.
- Despite Cognizant's claim of limited responsibilities, Clorox's allegations against the IT services provider assert that repeated password and multifactor-authentication resettings without proper verification by Cognizant allowed for a cybercriminal group, such as Scattered Spider, to execute voice phishing and phishing attacks.
- In the ongoing legal dispute, The Clorox Company accuses Cognizant of negligence in managing their cybersecurity, as call recordings suggest that Cognizant's actions, including failing to safeguard Clorox's corporate systems and botching response to the 2023 attack, led to financial losses of $380 million, with a significant impact on Clorox's technology infrastructure and business operations.
