Clorox Sues IT Provider Cognizant Over Employee Password Breach by Hackers

Clorox has filed a blistering complaint in Alameda County Superior Court accusing long-time technology partner Cognizant of handing a cybercriminal “the keys to the kingdom” during an August 2023 help-desk call that triggered a $380 million business disruption.

The lawsuit alleges that the IT outsourcer repeatedly violated Clorox’s password-reset rules, ignored basic authentication checks, and then botched the ensuing incident-response effort, compounding the damage.

According to the 39-page complaint, a threat actor posing as a Clorox employee phoned Cognizant’s service desk on 11 August 2023 and claimed he could not sign in to the corporate virtual-private network.

Cognizant’s agent immediately supplied a new password beginning with “Welcome…” without asking a single verification question, directly contravening Clorox’s written credential-support procedure that mandates manager confirmation or use of the self-service MyID portal.

Minutes later, the same caller convinced the agent to reset multifactor-authentication (MFA) tokens for both Okta and Microsoft, effectively stripping away every secondary security layer.

The complaint recounts nearly identical repeat calls that day for two separate employees, including one in Clorox’s own security unit, enabling the attacker to pivot laterally inside the network.

Clorox says that multiple agents failed to send required post-reset e-mail alerts to the real users or their managers, eliminating an additional chance to detect the social-engineering ruse.

Clorox Sues IT Provider Cognizant

Clorox states it detected the intrusion within three hours and expelled the adversary within five days, but only after taking production systems offline, halting manufacturing, and reverting to manual order processing, leading to empty store shelves and lost sales.

The consumer-goods giant pegs its direct remediation outlay at more than $49 million and total business-interruption losses at approximately $380 million.

The lawsuit further contends that Cognizant exacerbated the crisis during the recovery phase:

• A critical endpoint-protection agent uninstalled by the attacker took Cognizant more than one hour to redeploy, a task Clorox claims should have required less than 15 minutes.
  
• Cognizant allegedly provided an incorrect list of trusted IP addresses, delaying firewall containment rules by eight hours.
  
• Replacement of key databases and applications stalled because Cognizant’s on-site staff lacked the documented system knowledge that years of managed-service work should have produced, forcing Clorox to hire an outside vendor.

Breach of Contract, Gross Negligence, and Fraud Claims

Clorox argues that the 2013 Information Technology Services Agreement required Cognizant to follow “industry-standard” security practices and to certify that help-desk personnel were trained on the company’s stringent authentication workflows.

Cognizant, which reported $20 billion in 2024 revenue, has not yet filed a response in court.

By “flinging open the otherwise secure gate,” Cognizant allegedly violated explicit contract provisions, the covenant of good faith, and duties of professional care, amounting to gross negligence.

The complaint also levels an intentional-misrepresentation count, citing February 2023 e-mails in which Cognizant’s service-desk lead stated the team had been “educated” on Clorox’s updated password-reset policy, a claim the subsequent breach proved false.

Clorox seeks roughly $380 million in compensatory damages, punitive damages, attorney fees, and interest, and has demanded a jury trial.

In public marketing materials, the firm touts its ability to guard against “everyday cyber and social-engineering threats”.

Clorox’s filing asserts that, when tested in the real world, those promises “starkly demonstrated an egregious lack of care” and left the household-products maker bearing the full cost of a preventable catastrophe.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.