Attack attributed to social engineering specialists: The cyberattack in 2023 was attributed to Scattered Spider, a cybercriminal group known for sophisticated social engineering campaigns targeting IT helpdesks. However, in this case, the attackers succeeded through remarkably basic tactics rather than advanced technical methods.”Scattered Spider’s success with a plain ‘please reset my password’ call confirms that threat actors will always try the lowest-effort social engineering first and escalate to voice-cloning or deepfakes only if simple tricks fail,” said Prabhjyot Kaur, senior analyst at Everest Group.The legal filing detailed how attackers used identical approaches to systematically compromise multiple Clorox employees’ accounts. After gaining initial access through one employee’s credentials, they called back multiple times on the same day to reset the same employee’s MFA credentials, with Cognizant agents complying each time without questioning the unusual pattern.
Systematic training failures despite assurances: The security breakdowns occurred despite Clorox providing comprehensive procedures specifically designed to prevent such attacks, the lawsuit added. The further said that Clorox’s internal Service Desk manager held weekly meetings with Cognizant team leaders and repeatedly sought confirmation that updated security procedures had been implemented.In February 2023, a Cognizant Service Desk Lead confirmed training completion with the comment “Educated the team.” However, the August attack exposed these assurances as false.”The Cyberattack exposed the fact that this was all a devastating lie,” the lawsuit stated. “If Cognizant had properly trained its Service Desk staff on Clorox’s policies and procedures or basic industry standards, the Cyberattack never would have happened.”Beyond the initial breach, Cognizant’s failures continued during the incident response. When Clorox detected the intrusion within three hours, the lawsuit alleges that Cognizant took over an hour to reinstall a critical cybersecurity tool that should have taken 15 minutes, and provided incorrect IP address lists that resulted in an eight-hour delay in containment measures.”The cyberattack forced Clorox to take systems offline, pause manufacturing, and rely on manual order processing for weeks,” it said. The cyberattack caused Clorox about $380 million in damages, including over $49 million in remedial costs, and “hundreds of millions of dollars in business interruption losses,” the lawsuit claimed.
Legal implications for vendor accountability: “This lawsuit may shift breach response from an operational process to a legal calculus, transforming how enterprises negotiate liability, assign contractual burden, and architect resilience,” Gogia explained.Clorox’s complaint included four causes of action: breach of contract, breach of good faith and fair dealing, gross negligence, and intentional misrepresentation. The gross negligence claim characterizes Cognizant’s conduct as “an extreme departure from the ordinary standard of care.””The Clorox suit shows that an outsourced helpdesk can become a single point of catastrophic failure, so enterprises should govern it like any other critical control,” Kaur noted. She recommends that contracts should mandate “zero-trust reset processes” with multi-factor verification and supervisor co-approval for credential changes.”Clorox is claiming $380 million in damages, illustrating how vendor lapses can dwarf the liability caps still common in IT outsourcing,” Kaur added. She recommended enterprises model third-party cyber failures as a top-five enterprise exposure.For enterprise security leaders, the case serves as a stark reminder that human verification processes require the same rigor as technical security controls, with contracts that specify operational requirements rather than abstract service-level agreements.Clorox and Cognizant did not respond to requests for comment.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4027266/clorox-sues-cognizant-for-380m-over-alleged-helpdesk-failures-in-cyberattack.html
