Clorox has filed a lawsuit against Cognizant, its longtime IT help desk provider, over a 2023 cyberattack that caused widespread disruption and cost the company an estimated $380 million.

The lawsuit, filed in California Superior Court, claims that Cognizant help desk employees repeatedly reset login credentials for hackers posing as Clorox employees. These actions allegedly allowed the cybercriminals to gain deep access into Clorox’s systems.

The breach was attributed to Scattered Spider, a known cybercrime group that specializes in social engineering.

According to Clorox, the attackers made multiple calls to the help desk, requesting password and multi-factor authentication resets. The help desk agents allegedly granted these requests without verifying the caller’s identity or following Clorox’s internal security procedures.

This attack forced Clorox to take systems offline and manually process orders for months.

Why It Matters: This case highlights the severe consequences of weak identity verification processes in outsourced IT services. As companies increasingly rely on third-party providers, the Clorox lawsuit raises questions about accountability and cybersecurity standards across the supply chain.

• Hackers Exploited Human Error: Clorox claims Cognizant staff ignored policies requiring identity verification before resetting passwords. Hackers called multiple times in one day, requesting resets for VPN, Okta, and Microsoft MFA accounts. The help desk allegedly approved every request without checking if the caller was authorized. No alerts were sent to the affected employees or their managers.

• Widescale Business Disruption: After detecting the breach, Clorox shut down major systems and manufacturing processes. The company moved to manual order entry, resulting in product shortages and shipment delays. Sales volume dropped by 6% in the following six months. Clorox spent $49 million on recovery services and estimates total financial damage at $380 million.

• Transcripts Show Clear Breach of Procedure: Court filings include call transcripts where hackers openly state they cannot log in or access accounts. Despite this, help desk agents reset credentials and MFA with no further checks. Agents also failed to notify employees about changes, as required. Clorox says this violated long-established procedures and a January 2023 policy update.

• Cognizant Denies Responsibility: Cognizant argues that it was only responsible for basic help desk functions, not for cybersecurity enforcement. The company claims it met the terms of its service contract. Clorox counters that Cognizant had been briefed regularly and received explicit instructions on security procedures. Both parties now dispute the scope of responsibility and control.

• Potential Precedent for Vendor Cybersecurity Liability: The case could shape future expectations for third-party vendors involved in IT and cybersecurity support. It shows how failures at the service desk level can escalate into full-scale breaches. Social engineering tactics continue to bypass even well-funded security systems. Companies may need to revisit how they train and monitor external service providers.

Go Deeper -> Clorox lawsuit says help-desk contractors handed over passwords in 2023 cyberattack – The Record

Clorox accuses IT provider in lawsuit of giving hackers employee passwords – Reuters