US bleach co Clorox sues Cognizant over cyberattack

BENGALURU: US household goods manufacturer Clorox sued Cognizant for $380 million, alleging that the latter’s service desk granted access to cybercriminals to Clorox’s network by providing login credentials without properly verifying the requester’s identity or following Clorox’s authentication processes.“The resulting cyberattack was debilitating. It paralysed Clorox’s corporate network and crippled business operations. And to make matters worse, when Clorox called on Cognizant to provide incident response and disaster recovery support services, Cognizant botched its response and compounded the damage it already caused,” Clorox said in its complaint.The complaint alleged that the cyberattack caused Clorox approximately $380 million in damages, including over $49 million in remedial costs alone to fix the damage caused by Cognizant’s entirely preventable errors, and hundreds of millions of dollars in business interruption losses because the cyberattack impeded Clorox’s ability to ship orders and keep its products on the shelves of retailers.Clorox entered into an agreement with Cognizant in 2013 that included service desk support and identity management. The complaint said that Cognizant operated the service desk for Clorox and provided IT support for Clorox employees, including employee credential recovery when needed.The cybercriminal called the Cognizant service desk a second time, again masquerading as Clorox employee 1, it said. On August 11, 2023, the cybercriminal initially contacted the service desk to request a reset of employee 1’s password for Okta, an identity management tool Clorox used to verify network access. The agent replied by asking the cybercriminal to connect to Clorox’s virtual private network (VPN). The cybercriminal then claimed he could not access the VPN without a password. The complaint said without any additional questions or identity checks, the agent reset Clorox’s password, directly violating Clorox’s credential support protocols.When TOI reached out to Cognizant, its spokesperson said, “It is shocking that a corporation the size of Clorox had such an inept internal cybersecurity system to mitigate this attack. Clorox has tried to blame us for these failures, but the reality is that Clorox hired Cognizant for a narrow scope of help desk services which Cognizant reasonably performed. Cognizant did not manage cybersecurity for Clorox.”