Cleaning product giant Clorox has filed a lawsuit against Cognizant, a company it hired to operate its IT services call-in help desk, accusing the contractor of being directly responsible for a 2023 cyberattack that cost hundreds of millions. In court documents, Clorox produces transcripts of phone calls between the hackers and the help desk — allegedly illustrating that the cybercriminals called more than once to ask for multiple passwords to be reset and never had to identify themselves or prove they worked for Clorox. Clorox employees typically contacted Cognizant’s service desk when they needed to recover their password or reset devices attached to specific accounts, court documents said. Court documents filed by Clorox paint a damning picture of Cognizant employees, who had been running Clorox’s help desk for over a decade. By January 2023, Clorox updated its guidelines, ordering help desk workers to use the company’s verification and self-reset password tool called MyID, the lawsuit said. According to Clorox, its clearly defined password reset policies were repeatedly ignored by Cognizant help desk workers approached by the hackers. “The cybercriminal then used those credentials, and others obtained that same day through similar calls to the Service Desk, to attack Clorox. The cybercriminal used the same tactics again, Clorox said, calling the service desk twice to get Okta MFA and Microsoft MFA passwords changed another time. The cybercriminal then told the service desk that their Microsoft multi-factor authentication was not working — something Clorox believes should have been a red flag. The company reported months of operational issues and said the attack damaged portions of its IT infrastructure, causing “widescale disruption.” Clorox — which earns billions through its namesake cleaning product and several others like Pine Sol, Burt’s Bees and more — had to revert back to manual ordering and processing procedures after the attack. The service desk official agreed to reset both passwords “without any further questioning or identity verification, in direct violation of Clorox’s credential support procedures,” court documents said. The case, filed on Tuesday in California Superior Court, alleges that contractors working for Clorox on behalf of Cognizant repeatedly handed over crucial login information that allowed hackers to breach the company’s systems and cause the disruption. Clorox said its internal Service Desk manager held weekly meetings with the managers of the Cognizant team staffed on the service desk on rules, regulations and any potential updates. “Clorox entrusted Cognizant with the critical responsibility of safeguarding Clorox’s corporate systems — and Cognizant failed miserably,” said Mary Rose Alexander, outside counsel for The Clorox Company. “Cognizant is on tape handing over the keys to Clorox’s corporate network to the cybercriminal — no authentication questions asked,” lawyers for Clorox claimed. On the same day, the cybercriminal called the service desk again, asking for the same Microsoft MFA to be reset a second time, a request granted without any verification. In August 2023, Clorox was forced to take systems offline after a cyberattack and told federal regulators that it had disrupted business operations, forcing them to implement workarounds to continue providing its products to customers. The cybercriminal asked the service desk to then change the phone number associated with the employee's account for MFA through SMS text, yet another request granted by the agent. The cybercriminal allegedly used the password resets to log into the network and gather information on Clorox, allowing them to then pivot to another employee who worked in IT security. The service desk worker asked the threat actor to connect to Clorox’s virtual private network, but the hacker responded that they did not have their password for that either. Clorox claimed Cognizant’s “failures and actions directly caused the August 2023 cyberattack and the significant disruptions” to the company’s business operations. Clorox said it provided Cognizant with guidance saying never to reset anyone’s credentials without properly verifying their identity first. At no point did the Agent follow Clorox’s credential support procedures — either the pre-2023 procedure or the January 2023 update — before changing the password for the cybercriminal,” the company’s lawyers said. Clorox said it suffered $380 million in damages from the attack and wants Cognizant to cover that figure as well as punitive damages. Clorox claimed it discovered the intrusion after three hours and tried to contain it but was forced to effectively take all systems offline, pause manufacturing processes and rely on manual order processing.
This Cyber News was published on therecord.media. Publication date: Wed, 23 Jul 2025 13:25:13 +0000