IT services provider Cognizant is facing a multimillion-dollar lawsuit from one of its customers, which claims lax security procedures enabled the Scattered Spider hacking collective – blamed for the attacks on Marks & Spencer and Co-op Group – to access its systems by convincing a Cognizant helpdesk employee to reset a password.
The August 2023 incident saw business at Clorox – a household name in cleaning products in the US – badly disrupted after it was forced to suspend production and shipping in the wake of the social engineering attack. It is thought to have cost the organisation almost $400m.
In the lawsuit, filed in the California Superior Court, Clorox accused Cognizant of repeatedly giving a cyber criminal access to its network by handing them credentials without authenticating them or otherwise following basic cyber security processes.
“Cognizant provided the service desk that Clorox employees could contact when they needed password recovery or reset assistance,” said Clorox in its complaint. “Cognizant’s operation of the service desk came with a simple, common-sense requirement: never reset anyone’s credentials without properly authenticating them first. Clorox made this easy for Cognizant by providing them with straightforward procedures to follow.
“Despite assuring Clorox that it was following these procedures, Cognizant’s conduct on 11 August 2023 demonstrated spectacularly that it was failing to do so…. Cognizant’s failures resulted in a catastrophic cyber attack on Clorox.”
Clorox’s complaint alleges that on 11 August, Cognizant’s service desk received a call from a hacker requesting a reset of an individual’s password – this person is identified in the complaint as Employee 1 – for the Okta identity management tool.
It said the hacker told Cognizant they could not connect to the VPN without a password, following which the customer support agent “unilaterally” reset the password without questioning the caller or verifying their identity. It claimed this was in direct violation of its support procedures.
At this point, Clorox’s complaint continues, the hacker tried their luck again and asked for a reset of their Microsoft multifactor authentication (MFA). Again, it says, this was done without verification.
Cognizant – displaying a shocking level of incompetence – failed over and over at the most basic level and enabled a cyber criminal to gain a foothold in Clorox’s network Clorox’s legal complaint against Cognizant
After conducting two follow-up calls to again reset Employee 1’s Okta and Microsoft passwords, the hacker then convinced Cognizant’s agent to reset the phone number Employee 1 used for SMS MFA.
Clorox said that at no point during all of this did Cognizant’s agent verify the caller was the right person, or follow any of its identity support procedures, which had been updated a few months earlier.
“Cognizant – displaying a shocking level of incompetence – failed over and over at the most basic level and enabled a cyber criminal to gain a foothold in Clorox’s network,” said the complainant.
The complaint goes on to detail how, having accessed its systems, Scattered Spider then targeted Employee 2, an individual working on Clorox’s cyber security team, and used the same playbook to reset that person’scredentials. This enabled the gang to elevate their privileges within Clorox’s IT systems, establish persistence and begin lateral movement.
Clorox said it detected the intrusion within three hours and took action to eject the hackers from its network, but not before being forced to pull the plug on multiple critical systems.
On the basis of these alleged failings, claims that Cognizant intentionally misled Clorox into believing its staff were trained on its policies and procedures, and additional claims of “ongoing incompetence” that allegedly impeded the incident response efforts, Clorox is seeking to recover $49m in direct remediation damages and $380m in total.
In a statement shared with Computer Weekly’s sister title Cybersecurity Dive, a Cognizant spokesperson said: “It is shocking that a corporation the size of Clorox had such an inept internal cyber security system to mitigate this attack.
“Clorox has tried to blame us for these failures, but the reality is that Clorox hired Cognizant for a narrow scope of helpdesk services, which Cognizant reasonably performed. Cognizant did not manage cyber security for Clorox.”
Table of Contents Third-party vulnerabilities: it started with a phone call The lasting effect on boardroom conversations Post-breach lessons Over the four-day Easter weekend of…
Table of Contents Was CrowdStrike a 'Black Swan' event? Risk of single points of failure Could Microsoft have rejected the update? Predictable failures Public admission…
Scottish National Party MP Stewart McDonald has become the latest victim of a Russian state-backed hacking group that specialises in targeting non-government organisations (NGOs), politicians,…
In this podcast we look at containers – as deployed via Kubernetes, for example – and how storage and backup of container-generated data impacts compliance,…
As the United Arab Emirates (UAE) cements its position as one of the world’s most advanced cyber-resilient nations, Help AG has emerged as a strategic…