The Clorox Company (NYSE: CLX) has filed a lawsuit in a California state court against its IT service provider, Cognizant (NASDAQ: CTSH), seeking $380 million USD in damages. The complaint alleges that negligence and breach of contract by Cognizant’s service desk personnel directly enabled a major cyberattack in August 2023 that caused significant disruption to Clorox’s manufacturing and business operations.
In the 19-page complaint filed in the Superior Court of California, Clorox claims that Cognizant agents failed to adhere to established security procedures for credential recovery. The lawsuit alleges that an attacker, posing as a Clorox employee, could obtain network access credentials simply by calling the Cognizant-operated service desk and requesting them, without undergoing proper identity verification.
According to the legal filing, Clorox’s protocol required service agents to guide employees toward a self-service password tool or to verify the employee’s identity by confirming their manager’s name and user ID before resetting a password. The procedure also mandated that confirmation emails be sent to the employee and their manager following any reset.
The lawsuit alleges these steps were not followed. The filing includes a transcript from a recording of a call, claiming a Cognizant agent provided a password to a cybercriminal after the attacker stated they could not connect to the network.
The complaint details that on August 11, 2023, an agent reset access for Okta (NASDAQ: OKTA), the identity management platform used by Clorox, for an attacker posing as an employee. The agent allegedly reset the password and associated multifactor authentication (MFA) credentials multiple times without performing any identity verification and failed to send the required notification emails.
Clorox asserts that the attacker used this initial access to gather information and subsequently compromise the credentials of a second employee working in IT security. While Clorox states it removed the intruder from its network environment within three hours of the initial activity, the company was forced to take its systems offline to contain the threat.
This shutdown led to severe operational disruptions for the company. Manufacturing processes were halted for weeks, forcing a reliance on manual order processing, which resulted in product shortages for customers and what the complaint terms “significant lost sales.” The lawsuit also criticizes Cognizant’s post-incident response, alleging delays in reinstalling critical cybersecurity tools and mishandling database recovery tasks.
In a statement responding to the lawsuit, a spokesperson for Cognizant said, “It is shocking that a corporation the size of Clorox had such an inept internal cybersecurity system to mitigate this attack. Clorox has tried to blame us for these failures, but the reality is that Clorox hired Cognizant for a narrow scope of help desk services, which Cognizant reasonably performed. Cognizant did not manage cybersecurity for Clorox.” Clorox is requesting a jury trial to resolve the matter.
Cognizant has previously succumbed to the “Maze” ransomware. The ransomware infects and encrypts networked computers inside the victim enterprise, transmits the encrypted data to the controlling data kidnappers, who then hold such data hostage pending payment by the victim company.
See also: Cognizant Ransomware Losses May Reach $70 Million
Headline photo: Cognizant Pune Delivery Center. Photo credit: Cognizant/Flickr.
Leave a Reply