Clorox Sues Cognizant Over Cybersecurity Negligence in 2023 Scattered Spider Hack 

• What happened: Clorox alleges that hackers obtained passwords from Cognizant two years ago by simply asking.
• Clorox lawsuit: The company accuses the IT services provider of being at fault for the 2023 Clorox breach.
• Breach impact: Clorox discovered the breach in August 2023, though Scattered Spider may have gained access earlier.

Clorox has filed a lawsuit against IT services provider Cognizant, alleging cybersecurity negligence that allowed the Scattered Spider threat actor, also referred to as UNC3944, to breach its network in a 2023 cyberattack. Cognizant denied involvement.

The lawsuit stems from an incident involving the Scattered Spider hackers, a highly persistent group that relies on social engineering to launch ransomware attacks. A receipt for the lawsuit from the Superior Court of Alameda County was provided to Reuters by Clorox, a U.S.-based manufacturer of consumer cleaning and disinfecting products.

Allegations in the Lawsuit  

The lawsuit claims that Cognizant’s service desk staff enabled the breach by providing employee credentials without proper verification. Cognizant allegedly failed to verify identity, and due to this negligence, handed over access to impostors pretending to be Clorox staff. According to Clorox, the attackers gained access simply by requesting password resets, bypassing basic security protocols such as identity verification.  

"Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques," according to a copy of the lawsuit. "The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox's network, and Cognizant handed the credentials right over." 

Cognizant denied these claims, saying, "Clorox has tried to blame us for these failures, but the reality is that Clorox hired Cognizant for a narrow scope of help desk services which Cognizant reasonably performed." Yet, conversations between the hacker and Cognizant support staff supporting Clorox’s claims were allegedly seen in partial transcripts of the lawsuit.

"I don't have a password, so I can't connect," the hacker says, to which the agent replies, "Oh, OK. OK. So let me provide the password to you, OK?" Reuters reported.

Clorox alleges that this failure directly facilitated the hackers’ ability to disrupt operations, resulting in over $380 million in damages, including $50 million in cleanup costs and additional financial losses tied to product distribution delays. 

Impact of the Cyberattack  

The attack significantly impacted Clorox's operations, halting its ability to ship products to retailers for an extended period. Clorox discovered the breach in August 2023, though reports suggest the attackers may have gained access earlier.

In June, the FBI warned airlines, IT providers, and vendors of Scattered Spider impersonation attacks. This month, four Scattered Spider-linked individuals were charged by UK Authorities for ransomware attacks.

In June 2024, the group was seen running VMs inside victims' infrastructure via vSphere and Azure.

Cybersecurity Impact  

Meanwhile, cybersecurity experts have noted the simplicity of the social engineering tactics allegedly used in the data breach. This lawsuit sheds light on the importance of robust third-party oversight and secure IT practices in preventing breaches fueled by human error.  

This tactic aligns with multiple warnings from CISA and the FBI about Scattered Spider's use of social engineering against corporate help desks.