Article illustration 1

Clorox, the household name behind brands like Pine-Sol and Burt's Bees, is taking IT services provider Cognizant to court over a devastating 2023 cyberattack that forced the company to halt production and revert to manual processes. Filed in California Superior Court, the lawsuit alleges that Cognizant's help desk contractors blatantly violated security protocols, enabling hackers to infiltrate Clorox's network through a series of shockingly simple social engineering tricks. The breach led to widespread operational paralysis, costing Clorox hundreds of millions in lost sales and recovery expenses—a stark reminder of how human error in third-party vendors can cascade into enterprise-wide disasters.

The Anatomy of a Social Engineering Breakdown

According to court documents, the attack began on August 11, 2023, when cybercriminals impersonated Clorox employees in multiple calls to Cognizant's help desk. Clorox had outsourced its IT support to Cognizant for over a decade, with strict policies requiring identity verification before any password resets. Yet, as captured in call recordings cited in the lawsuit, Cognizant agents repeatedly reset Okta and Microsoft credentials without basic checks:

  • Hackers requested password resets for an employee's Okta account, claiming they couldn't access the VPN. The agent complied without verification.
  • When the hackers said multi-factor authentication (MFA) wasn't working—a red flag—the agent reset MFA settings.
  • In three separate calls that day, credentials were reset for the same account, and the agent even changed the phone number for SMS-based MFA, handing attackers full access.

"Cognizant is on tape handing over the keys to Clorox’s corporate network to the cybercriminal—no authentication questions asked," stated Mary Rose Alexander, outside counsel for Clorox. "It’s indefensible."

This chain of failures allowed hackers to pivot to an IT security employee's account, granting them privileged access. Clorox detected the intrusion within hours but had to shut down systems entirely to contain it, triggering what the company called "widescale disruption."

Operational Carnage and a Heated Blame Game

The aftermath was brutal: Clorox halted automated manufacturing, resorted to pen-and-paper order processing, and saw product shortages across retailers. Sales volume dropped 6% in the following months, with $49 million spent on forensic experts and recovery services. Total damages are estimated at $380 million, which Clorox seeks to recover from Cognizant alongside punitive damages.

Cognizant, however, has fired back, claiming Clorox's own cybersecurity was "inept." In a statement, a Cognizant spokesperson argued, "Clorox hired Cognizant for a narrow scope of help desk services which Cognizant reasonably performed. Cognizant did not manage cybersecurity for Clorox." This rebuttal underscores the murky accountability in outsourced IT relationships—where vendors often operate in silos with limited oversight.

Article illustration 2

Clorox production facility (Image: cloroxcompany.com)

Why This Lawsuit Resonates Beyond Cleaning Supplies

This case isn't just about bleach and legal fees; it's a cautionary tale for any organization relying on third-party IT support. The attack exploited fundamental gaps:

  1. Help Desk Vulnerabilities: Despite Clorox's January 2023 policy update mandating tools like MyID for verification, Cognizant agents bypassed them. This highlights how procedural rigor means nothing without enforcement.
  2. MFA Manipulation: Resetting MFA without challenge is a critical flaw, as MFA is often the last line of defense. Attackers are increasingly targeting this weak spot in social engineering campaigns.
  3. Vendor Risk Management: With Cognizant managing a critical access point, Clorox's experience shows that outsourcing doesn't absolve companies of security responsibility. Regular audits and integrated training are non-negotiable.

As breaches grow more sophisticated, this lawsuit could set a precedent for holding IT contractors liable for negligence. For developers and security teams, it reinforces the need to design systems where human elements—like help desks—are fortified with zero-trust principles and continuous monitoring. After all, in cybersecurity, the simplest oversights often unlock the most devastating chaos.

Source: Recorded Future News