Cognizant Accused of Gross Negligence in Clorox Cyberattack

Clorox has accused IT services provider Cognizant of gross negligence and breach of trust after a cyberattack caused $380 million in damages. Clorox claims Cognizant failed to follow basic cybersecurity protocols, handing over network credentials to a hacker without proper authentication. The attack disrupted Clorox's corporate network and supply chain, causing significant business interruption losses.

In a significant legal move, Clorox has filed a $380 million lawsuit against IT services provider Cognizant, accusing the latter of gross negligence and breach of trust. The lawsuit alleges that Cognizant's helpdesk staff handed over network credentials to a hacker without proper authentication, leading to a cyberattack that caused substantial damage to Clorox's operations.

The cyberattack, which occurred on August 11, 2023, was attributed to the cybercriminal group Scattered Spider. According to the complaint, Cognizant's helpdesk agents reset passwords and multi-factor authentication (MFA) credentials for the hacker without verifying their identity. The lawsuit includes verbatim transcripts of the calls, which reveal how easily the attackers obtained access to Clorox's network.

The breach was particularly damaging as it disrupted Clorox's corporate network and supply chain, causing significant business interruption losses. The lawsuit alleges that Cognizant's failures continued during the incident response, with delays in containment measures and the provision of incorrect IP address lists.

Clorox's complaint includes four causes of action: breach of contract, breach of good faith and fair dealing, gross negligence, and intentional misrepresentation. The gross negligence claim characterizes Cognizant’s conduct as an extreme departure from the ordinary standard of care.

The legal filing also highlights the fact that the cyberattack was not caused by sophisticated hacking techniques but by the absence of basic verification processes. This raises questions about the effectiveness of outsourcing IT services and the need for more stringent security measures.

The case serves as a stark reminder that human verification processes require the same rigor as technical security controls. For enterprise security leaders, the case underscores the importance of contracts that specify operational requirements rather than abstract service-level agreements.

Clorox and Cognizant did not respond to requests for comment.

References:
[1] https://www.csoonline.com/article/4027266/clorox-sues-cognizant-for-380m-over-alleged-helpdesk-failures-in-cyberattack.html
[2] https://www.bleepingcomputer.com/news/security/hackers-fooled-cognizant-help-desk-says-clorox-in-380m-cyberattack-lawsuit/