Clorox Sues IT Provider Cognizant For Simply Giving Credentials to Scattered Spider Hackers

The Clorox Company, a leading household goods manufacturer, has filed a $380 million lawsuit against IT services provider Cognizant Technology Solutions.

The lawsuit accuses Cognizant’s help-desk agents of inadvertently providing hackers with access to Clorox’s network during a security breach in August 2023. This intrusion severely disrupted operations and led to months of product shortages.

The 87-page complaint, lodged Tuesday in Alameda County Superior Court, alleges that Cognizant agents repeatedly reset passwords and multi-factor authentication (MFA) tokens for callers who posed as Clorox employees without asking a single security question.

Partial call transcripts filed with the suit show one agent volunteering, “Let me provide the password to you,” after the hacker said he couldn’t log in.

Clorox contends that misplaced trust allowed the Scattered Spider social-engineering group to paralyze manufacturing lines, force manual order processing, and incur roughly $49 million in remediation costs, as well as hundreds of millions in lost sales.

Clorox says it had provided Cognizant with strict credential-reset protocols such as verifying a manager’s name and sending confirmation emails, but that the vendor falsely assured the company its staff had been “educated” on the rules months before the breach.

“Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques,” the complaint states. “The cybercriminal just called … and Cognizant handed the credentials right over”.

Beyond the initial access, Clorox accuses Cognizant of botching the emergency response.

According to the filing, the vendor took more than an hour to reinstall a security tool after the intruder disabled it, supplied an incorrect list of managed IP addresses, and dispatched engineers who lacked basic knowledge of Clorox’s environment, forcing the manufacturer to hire another firm.

Cognizant, which reported nearly $20 billion in 2024 revenue and hailed its “momentum” in a February earnings release, denies wrongdoing.

“Clorox hired Cognizant for a narrow scope of help-desk services, which Cognizant reasonably performed,” a company spokesperson said in an emailed statement Wednesday. “We will vigorously defend against these baseless allegations”.

Similar help-desk exploits slammed casino operator MGM Resorts last year and continue to plague firms that rely on external support desks.

The August 2023 incident remains one of the costliest supply-chain hacks in recent memory. Clorox disclosed in SEC filings that disruptions shaved up to 28 percent off quarterly sales and cost an additional $49 million in recovery expenses.

Shares fell more than 25 percent in the weeks after the breach, erasing billions in market value.

No hearing date has been set, but the case could significantly impact contracting standards between Fortune 500 companies and their IT outsourcing partners. “Boards are watching,” said Gartner analyst Pranav Patel.

“If help-desk hygiene can cost nearly half a billion dollars, expect every SLA to embed stricter authentication requirements and heavy penalties when they aren’t followed.”

For now, Clorox says it has rebuilt its networks and returned to automated order processing, while Cognizant faces intensified scrutiny over how a routine support call spiraled into a crisis with sweeping operational and legal fallout.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now