Company Sues Cognizant For $380 Million

Clorox, cleaning products giant has filed a lawsuit against IT services provider Cognizant, blaming the company for a massive Clorox data breach that hit its systems in 2023. Filed in California Superior Court, the lawsuit alleges that Cognizant, which managed Clorox’s IT help desk operations for over a decade, failed to follow basic cybersecurity protocols, directly enabling a cybercriminal to infiltrate Clorox’s network. The Clorox data breach led to disruption of the company’s manufacturing and distribution processes, a loss in sales, and a costly recovery process.

Clorox is seeking $380 million in damages, in addition to punitive damages, claiming that Cognizant’s negligence was at the heart of the data breach.

Clorox  Data Breach That Crippled Operations

In 2023, Clorox was forced to take its systems offline after detecting a cyberatatck. The impact was immediate and far-reaching: IT infrastructure was damaged, product shipments slowed, and shelves across the country were left with limited stock of Clorox brands such as Pine-Sol and Burt’s Bees. For months, the company resorted to manual order processing and implemented workarounds to continue operations.

In the months that followed, Clorox reported a 6% drop in sales volume, citing supply chain delays and reduced shipments. The company spent $49 million on forensic investigators, recovery efforts, and consulting services.

Total financial losses from the Clorox data breach reached hundreds of millions, and that’s before taking reputational damage into account.

Allegation of Help Desk Failures

At the heart of Clorox’s legal complaint are serious allegations against Cognizant’s help desk personnel. According to court documents, cybercriminals were able to repeatedly call the help desk and request password resets for employee accounts, including privileged access accounts, without any meaningful identity verification.

Despite Clorox’s clear policies requiring the use of an internal identity verification system called “MyID,” or alternatively verifying an employee’s manager and username, help desk agents allegedly bypassed these safeguards.

The attackers, posing as Clorox employees, were granted access to reset Okta and Microsoft credentials, disable multi-factor authentication (MFA), and even change associated phone numbers for SMS-based login verification, all without being asked to confirm their identity.

Court transcripts reportedly show that the cybercriminal called multiple times on the same day, each time successfully obtaining access credentials.

Clorox’s outside counsel, Mary Rose Alexander, offered a sharp rebuke:

“Cognizant didn’t just drop the ball. They handed over the keys to Clorox’s corporate network to a notorious cybercriminal group in reckless disregard for Clorox’s policies and long-established cybersecurity standards. It’s all captured on call recordings, and it’s indefensible.”

Experts have long warned that help desks are prime targets for attackers due to their customer service culture, which often prioritizes ease of access over strict protocol. In this case, Clorox argues that Cognizant staff not only ignored procedures but also failed to recognize glaring red flags — such as repeated MFA reset requests and access from unauthenticated users.

“The cybercriminal then used those credentials… to attack Clorox,” court documents state. “The resulting cyberattack was debilitating. It paralyzed Clorox’s corporate network and crippled business operations.”

Clorox Cyberattack Lawsuit: Fallout and the Road Ahead

Clorox is still recovering from the incident. According to its latest earnings outlook for FY2025, the company expects a slight decline in net sales, largely due to the lingering effects of the breach, coupled with macroeconomic and geopolitical challenges.

However, Clorox has also received $100 million in insurance payouts related to the attack and expects adjusted earnings per share to grow by 13% to 19% compared to the prior year.

Even so, the broader implications of the Clorox data breach extend beyond quarterly earnings. The case raises fundamental questions about trust, accountability, and the increasingly blurred lines between internal operations and outsourced digital services.

For companies relying heavily on third-party vendors for IT support, the Clorox-Cognizant dispute is a warning shot: vendor oversight and cybersecurity cannot be considered separate responsibilities. A weak link — even in a routine help desk call — can unravel entire systems.

Related