Unauthorized individual allegedly obtained Clorox's passwords from Cognizant via a mere inquiry
In a shocking turn of events, American multinational chemical and consumer goods corporation Clorox has filed a lawsuit against Cognizant, an Indian-based IT services company, for a staggering sum of $380 million in a California state court. The lawsuit stems from a significant cybersecurity breach that occurred in 2023, which Clorox alleges was the result of Cognizant's negligence and failure to adhere to established security protocols.
The breach unfolded when hackers exploited vulnerabilities in Cognizant's help desk operations. Posing as legitimate employees, the hackers contacted Cognizant's service desk and requested password resets. In a series of alarming incidents, the service agents allegedly handed over the passwords without proper verification, such as multi-factor authentication or callback checks, allowing the attackers to access Clorox's network.
The attackers then used these credentials to reset the access for another IT security employee, gaining privileged access to the network and spreading to more devices. This breach resulted in a "catastrophic cyberattack" for Clorox, causing disruptions to its systems and operations, leading to product shortages for customers and "significant lost sales."
The lawsuit claims that Cognizant failed to follow Clorox's procedures for providing credential recovery or reset assistance. Upon receiving a network password reset request from a Clorox employee, service agents were supposed to guide the employee towards using Clorox's verification and self-reset password tool or verify the employee's identity by manager name and MyID user name before resetting the employee's password.
However, in one instance, a Cognizant Agent reportedly provided a password to an attacker, starting with the word "Welcome...", granting unauthorised access to Clorox's network. The cybercriminal also allegedly asked to reset the phone number associated with a staffer at Clorox, which wasn't handled properly according to the lawsuit.
The breach led to operational disruptions, supply chain delays, and financial losses for Clorox. The company estimates direct remediation costs at $49 million and total damages at $380 million, including losses due to business disruption and reputational damage.
Cognizant denies managing cybersecurity for Clorox and claims it was hired for a narrow scope of help desk services, which it reasonably performed. The companies first signed a contract in 2013, and updates were made to the services agreement over time.
Clorox's brand encompasses everything from ubiquitous disinfectant to charcoal briquettes, cat litter, trash bags, Hidden Ranch salad dressing, and more. The company is known worldwide for its wide range of household and consumer products. The ongoing legal battle between the two companies is expected to shed light on the importance of IT security and the responsibilities of outsourced service providers.
- The catastrophic cyberattack on Clorox, which led to operational disruptions, supply chain delays, and financial losses, was initiated through vulnerabilities in Cognizant's help desk operations.
- The lawsuit filed by Clorox against Cognizant claims that the breach was the result of Cognizant's failure to adhere to established cybersecurity protocols, including not following Clorox's procedures for providing credential recovery or reset assistance.
- The General News and Crime & Justice sectors are expected to spotlight the ongoing legal battle between Clorox and Cognizant, highlighting the importance of IT security and the responsibilities of outsourced service providers in maintaining the security of a company's network.
- The use of AI technology in cybersecurity could potentially prevent such breaches in the future, as it can detect and respond to threats more effectively compared to human-led operations.
