The massive 2023 cyber attack on Clorox can be traced to a negligent help desk employee at longtime contractor Cognizant, according to a new lawsuit filed by the company.
Clorox is seeking a total sum of $380 million for breach of contract, lost sales and reputational damage, with $49 million of that in direct remediation. The company is also accusing Cognizant of being “incompetent” in its containment and incident response measures. Cognizant has replied with a statement calling Clorox “inept” in its cybersecurity and claiming that it was only contracted for specific help desk features that it performed as asked.
Clorox says cyber attack “debilitated” corporate network, “paralyzed” business operations
Clorox contracted with Cognizant for help desk services from 2013 to the occurrence of the incident in 2023. The company’s filing claims that it provided Cognizant with “simple” procedures for verifying the identity of employees calling up to request a password recovery or reset. A transcript Clorox provided of the August 11 call by the hacker appears to demonstrate a Cognizant help desk employer immediately resetting an employee account password for the threat actor without engaging in any attempt at verifying their identity, even offering to wait on the line while the attacker tried the temporary password to ensure it functioned.
Clorox alleges that the same attacker actually made three calls of this nature over a period of two days, coming back to get new credentials reset as they used the prior ones to explore the internal network. In each case the attacker was able to claim that their MFA wasn’t working due to being “on an old phone” and have the help desk almost immediately hand over a new password for the account without a further security challenge.
Clorox says that its provided credential support policies made clear that employee credentials were not to be handed over or reset without verification, yet this exact thing opened the door for the eventual cyber attack. Its filing also indicates that it had regular weekly meetings with Cognizant to discuss new procedures and action items, including one in January 2023 in which Cognizant’s help desk was to be instructed to guide employees to a new self-reset tool called “MyID.” If MyID happened to not be available, the help desk was supposed to collect the caller’s MyID number along with the name of a manager to confirm with. Clorox claims that internal Cognizant notes indicate that help desk employees were marked as having been “educated” on this new process in February 2023.
Problems did not end with help desk malfunctions, Clorox alleges
Clorox says that it detected the attacker within three hours after they deployed ransomware, and that it immediately engaged with Cognizant to coordinate a response but were faced with a series of “inexplicable” delays in completing obligations to shut down access to impacted accounts and reinstall cybersecurity tools. The complaint also notes issues with the recovery process: Cognizant claimed that it could not restore certain databases (later successfully restored by a new contractor), failed to produce application management documentation it was supposed to have, and sent personnel to their offices that were “so lacking in application and infrastructure support skills” that Clorox was forced to engage another vendor.
The incident was first reported in September 2023, as part of the ongoing Scattered Spider campaign that heavily involved similar phone-based social engineering of target companies. It caused an extended pause of shipments of a number of the company’s retail products, which in turn led to them being absent from store shelves for some time. The company is most famous for its bleach and cleaning products but has diversified by acquiring numerous other brands over the years; these include Brita, Burt’s Bees, Formula 409, Glad, Hidden Valley, Kingsford, Pine-Sol and Fresh Step among others.
Scattered Spider is known for its social engineering prowess, using native English-speaking members based in the US and UK and deeply researching company internal procedures and structures before striking. But the transcript from the cyber attack that Clorox provides makes it sound as if absolutely none of that expertise was necessary; access was literally there for the asking by making contact with the help desk.
Clorox’s full complaint alleges breach of contract, breach of good faith and fair dealing, gross negligence, and intentional misrepresentation. Cognizant’s statement to the media indicates the company believes it was under no obligation to provide cybersecurity services in the wake of the cyber attack, that the extent of its contract was to provide narrow help desk services, and that an “inept” response by Clorox was to blame for the extent of the damage. Cognizant is one of the world’s largest help desk contractors, first formed in 1994 and with annual global operating revenue of about $19.736 billion USD. It recently acquired Belcan in a $1.3 billion purchase aimed at expanding Cognizant’s business in the defense and aerospace industries.
Darren James, a Senior Product Manager at Specops Software, notes that the company will face some serious difficulties in demonstrating it holds no responsibility for the cyber attack: “Ultimately, this lawsuit should be a wakeup call for all MSP’s that provide IT help desk service to their customers. They need to take ownership of the user verification process, particularly regarding password or MFA resets. They should provide their customers with secure and flexible Self-Service solutions that can be used from any device, at any time from any location so there can be no exceptions made. For all other service desk calls, there should also be a mandatory verification process put in place. Failure to provide such services will leave an MSP open to similar litigation and reputational as well as financial penalties.”
