Clorox Sues Cognizant for $380M, Alleges Gross Negligence Led to Devastating Cyberattack
Clorox has filed a lawsuit against the global IT services provider Cognizant, accusing the company of gross negligence that allegedly led to a devastating cyberattack in August 2023. According to the complaint, Cognizant—tasked with maintaining Clorox’s IT infrastructure for over a decade—committed a critical error by resetting an employee’s password over the phone at the request of a malicious actor, without verifying the caller’s identity. This lapse granted attackers access to Clorox’s internal network, setting off a chain of events that effectively crippled the company’s operations.
Clorox, renowned for its cleaning, disinfecting, and personal hygiene products, asserts in the lawsuit that Cognizant was contractually obligated to follow stringent identity verification procedures when handling support requests. However, as alleged, a Service Desk representative from Cognizant disregarded these security protocols and restored access without confirming the caller’s legitimacy. The attacker, impersonating a Clorox employee, not only received a new password but also had multifactor authentication reset—without notifying the legitimate account holder or their supervisor, as mandated by internal policy.
The situation deteriorated further when the same tactic was used successfully on another employee, this time from the information security team, granting the attackers elevated access within Clorox’s corporate network. The attack, attributed to the threat group Scattered Spider, resulted in extensive damage—halting production, disrupting supply chains, eroding sales, and tarnishing the company’s reputation.
Court filings emphasize that Clorox had proactively provided Cognizant with detailed verification guidelines for handling credential-reset requests. Nevertheless, the contractor’s employee repeatedly bypassed these measures, acting without authentication and failing to notify internal stakeholders.
The lawsuit characterizes the incident not as a mere lapse in judgment, but as a systemic failure in Cognizant’s training and oversight, stemming from inadequate personnel preparation and a blatant disregard for fundamental cybersecurity standards.
Clorox also contends that it relied on Cognizant for professional post-incident remediation. However, according to the company, the vendor failed once again: infrastructure recovery lagged, threat containment measures were delayed, and the response team deployed was undertrained and ineffective—exacerbating the damage.
The complaint includes charges of contractual breach, misrepresentation, fraud concerning staff qualifications, and egregious negligence. Clorox is seeking $49 million in direct damages and an additional $380 million to cover lost profits, recovery costs, operational disruptions, and reputational harm.
In response, a Cognizant spokesperson stated that the company’s role was limited to a narrow scope of support services and that it was not responsible for Clorox’s overarching cybersecurity framework. Furthermore, the firm rejected the allegations as unjust, arguing that the true fault lay in Clorox’s own inadequate internal defenses.
This legal clash underscores an increasingly critical issue: organizations are becoming vulnerable not through sophisticated exploits, but through the all-too-human failings that enable social engineering attacks—now a hallmark of threat groups like Scattered Spider. When global enterprises entrust their security to third-party vendors, even a single oversight can cascade into catastrophe.
