However, the complaint alleges that on August 11, 2023, recordings show that a cybercriminal called Cognizant's Service Desk multiple times, pretending to be a Clorox representative requesting password and multi-factor authentication resets. Clorox's complaint alleges breach of contract due to Cognizant's failure to meet ITSA obligations, breach of good faith and fair dealing, gross negligence, and intentional misrepresentation of staff training on the client's credential reset procedures. Clorox is suing IT giant Cognizant for gross negligence, alleging it enabled a massive August 2023 cyberattack by resetting an employee's password for a hacker without first verifying their identity. "Cognizant provided the service desk ("Service Desk") that Clorox employees could contact when they needed password recovery or reset assistance," reads the complaint shared with BleepingComputer. The lawsuit says Cognizant provided IT services to Clorox, including service desk support and identity management, which was the point of compromise that led to a devastating and costly cyberattack for the company. After allegedly failing to verify the caller's actual identity, Cognizant reset the credentials and multi-factor authentication (MFA) for the hacker, granting them access to Clorox's IT network. And at no point did the Agent send the required emails to the employee or the employee's manager to alert them of the password reset. "Clorox claims in the complaint. In addition to this, Clorox described Cognizant's response and recovery support as overly incompetent, resulting in delays in the application of containment measures, failure to shut down compromised accounts, and sending underqualified personnel on premises. Clorox states that Cognizant's actions paralyzed its corporate network, halted manufacturing, and caused widespread product shortages and business interruption. To make matters worse, Clorox alleges that the threat actors used the same playbook to reset the password and MFA for another employee who worked in IT security, which was done without verification once again. At no point did the Agent follow Clorox's credential support procedures—either the pre-2023 procedure or the January 2023 update—before changing the password for the cybercriminal. According to the complaint, from 2013 to 2023, Cognizant was contracted by Clorox to handle its IT operations. "Cognizant's operation of the Service Desk came with a simple, common-sense requirement: never reset anyone's credentials without properly authenticating them first. For these actions, which resulted in hundreds of millions of dollars in lost sales due to business disruption, as well as reputational damage with long-term consequences, Clorox is seeking $49 million in direct remediation damages and $380,000,000 in total damages. It paralyzed Clorox's corporate network and crippled business operations," describes the legal complaint.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 23 Jul 2025 17:25:21 +0000