US bleach and cleaning product giant Clorox has filed a $380 million lawsuit against IT services provider Cognizant, alleging the company’s helpdesk staff handed over network passwords to cybercriminals who simply called and asked for them, no questions asked.
The complaint filed Tuesday in Alameda County Superior Court includes actual recorded conversations that reveal the stunning simplicity of the August 2023 attack that resulted in $380 million in damages to the consumer goods company.
“Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques,” the lawsuit stated. “The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox’s network, and Cognizant handed the credentials right over.”
‘What’s the password?’ ‘Welcome…’
The lawsuit includes verbatim transcripts showing how easily attackers obtained access to Clorox’s network. In one exchange that epitomizes the security breakdown, a cybercriminal simply stated they couldn’t connect without a password.
“I don’t have a password, so I can’t connect,” the attacker said.
“Oh, ok. Ok. So let me provide the password to you ok?” the Cognizant agent replied immediately, then proceeded to give the password starting with “Welcome…”
This pattern repeated throughout August 11, 2023, with cybercriminals successfully obtaining password resets, multi-factor authentication resets, and even phone number changes for SMS authentication — all without providing employee identification numbers, manager names, or any other verification.
“The breach wasn’t caused by malware or zero-days, but by the absence of basic verification,” said Sanchit Vir Gogia, chief analyst at Greyhound Research. “Enterprises must no longer equate outsourcing with abdication.”
Attack attributed to social engineering specialists
The cyberattack in 2023 was attributed to Scattered Spider, a cybercriminal group known for sophisticated social engineering campaigns targeting IT helpdesks. However, in this case, the attackers succeeded through remarkably basic tactics rather than advanced technical methods.
“Scattered Spider’s success with a plain ‘please reset my password’ call confirms that threat actors will always try the lowest-effort social engineering first and escalate to voice-cloning or deepfakes only if simple tricks fail,” said Prabhjyot Kaur, senior analyst at Everest Group.
The legal filing detailed how attackers used identical approaches to systematically compromise multiple Clorox employees’ accounts. After gaining initial access through one employee’s credentials, they called back multiple times on the same day to reset the same employee’s MFA credentials, with Cognizant agents complying each time without questioning the unusual pattern.
Systematic training failures despite assurances
The security breakdowns occurred despite Clorox providing comprehensive procedures specifically designed to prevent such attacks, the lawsuit added. The further said that Clorox’s internal Service Desk manager held weekly meetings with Cognizant team leaders and repeatedly sought confirmation that updated security procedures had been implemented.
In February 2023, a Cognizant Service Desk Lead confirmed training completion with the comment “Educated the team.” However, the August attack exposed these assurances as false.
“The Cyberattack exposed the fact that this was all a devastating lie,” the lawsuit stated. “If Cognizant had properly trained its Service Desk staff on Clorox’s policies and procedures or basic industry standards, the Cyberattack never would have happened.”
Beyond the initial breach, Cognizant’s failures continued during the incident response. When Clorox detected the intrusion within three hours, the lawsuit alleges that Cognizant took over an hour to reinstall a critical cybersecurity tool that should have taken 15 minutes, and provided incorrect IP address lists that resulted in an eight-hour delay in containment measures.
“The cyberattack forced Clorox to take systems offline, pause manufacturing, and rely on manual order processing for weeks,” it said. The cyberattack caused Clorox about $380 million in damages, including over $49 million in remedial costs, and “hundreds of millions of dollars in business interruption losses,” the lawsuit claimed.
Legal implications for vendor accountability
“This lawsuit may shift breach response from an operational process to a legal calculus — transforming how enterprises negotiate liability, assign contractual burden, and architect resilience,” Gogia explained.
Clorox’s complaint included four causes of action: breach of contract, breach of good faith and fair dealing, gross negligence, and intentional misrepresentation. The gross negligence claim characterizes Cognizant’s conduct as “an extreme departure from the ordinary standard of care.”
“The Clorox suit shows that an outsourced helpdesk can become a single point of catastrophic failure, so enterprises should govern it like any other critical control,” Kaur noted. She recommends that contracts should mandate “zero-trust reset processes” with multi-factor verification and supervisor co-approval for credential changes.
“Clorox is claiming $380 million in damages, illustrating how vendor lapses can dwarf the liability caps still common in IT outsourcing,” Kaur added. She recommended enterprises model third-party cyber failures as a top-five enterprise exposure.
For enterprise security leaders, the case serves as a stark reminder that human verification processes require the same rigor as technical security controls, with contracts that specify operational requirements rather than abstract service-level agreements.
Clorox and Cognizant did not respond to requests for comment.
More on cyberattacks and breaches:
- The 20 biggest data breaches of the 21st century
- 6 hard-earned tips for leading through a cyberattack — from CSOs who’ve been there
- Best and worst data breach responses highlight the do’s and don’ts of IR
>