Clorox is suing IT giant Cognizant for gross negligence, alleging it enabled a massive August 2023 cyberattack by resetting an employee's password for a hacker without first verifying their identity.
The incident was first made public in September 2023, reportedly carried out by hackers associated with Scattered Spider, who utilized a social engineering attack to breach the company.
The lawsuit says Cognizant provided IT services to Clorox, including service desk support and identity management, which was the point of compromise that led to a devastating and costly cyberattack for the company.
Clorox is a major consumer goods company, best known for household cleaning products, bleach, disinfectants, and personal care items. Cognizant is a global IT services and consulting company, providing cloud services, software development, and cybersecurity.
According to the complaint, from 2013 to 2023, Cognizant was contracted by Clorox to handle its IT operations.
"Cognizant provided the service desk ("Service Desk") that Clorox employees could contact when they needed password recovery or reset assistance," reads the complaint shared with BleepingComputer.
"Cognizant's operation of the Service Desk came with a simple, common-sense requirement: never reset anyone's credentials without properly authenticating them first. Clorox made this easy for Cognizant by providing them with straight-forward procedures to follow whenever providing credential recovery or reset assistance."
However, the complaint alleges that on August 11, 2023, recordings show that a cybercriminal called Cognizant's Service Desk multiple times, pretending to be a Clorox representative requesting password and multi-factor authentication resets.
"At no point during any of the calls did the Agent verify that the caller was in fact Employee 1. At no point did the Agent follow Clorox's credential support procedures—either the pre-2023 procedure or the January 2023 update—before changing the password for the cybercriminal. The Agent further reset Employee 1's MFA credentials multiple times without any identity verification at all. And at no point did the Agent send the required emails to the employee or the employee's manager to alert them of the password reset. "Clorox claims in the complaint.
This type of social engineering attack has become the hallmark of Scattered Spider attacks, recently used in UK retail attacks on Marks & Spencer and Co-op.
... continue reading