Clorox, a leading US producer of cleaning products, is suing its former IT service desk provider, London-based Cognizant, over the August 2023 cyber-attack.
The incident cost the manufacturer months of operational disruption and at least $49 million in expenses.
In a lawsuit filed in the California Superior Court on July 22, Clorox accused Cognizant of being directly responsible for the hack.
The lawsuit claims that Cognizant failed to follow Clorox’s password-reset protocols, neglected essential identity verification measures and enabled the attacker to gain access to the Clorox network.
Specifically, Cognizant is on tape handing over the keys to Clorox’s corporate network to the cybercriminal without asking any authentication questions.
The cybercriminal then used those credentials, along with others obtained that same day through similar calls to the service desk, to attack Clorox.
Mary Rose Alexander, partner at Latham & Watkins and outside counsel for Clorox, commented: “Clorox entrusted Cognizant with the critical responsibility of safeguarding [its] corporate systems – and Cognizant failed miserably.”
She continued: “Cognizant didn’t just drop the ball. They handed over the keys to Clorox’s corporate network to a notorious cybercriminal group in reckless disregard for Clorox’s policies and long-established cybersecurity standards. It’s all captured on call recordings, and it’s indefensible.”
The cleaning product manufacturer is seeking $380 million in direct and compensatory damages, as well as punitive damages.
Weeks of Business Operation Halt and $49m of Damages for Clorox
On August 14, 2023, Clorox detected suspicious activity in its IT systems, an incident that was escalated to a cyber-attack within hours.
The attack forced the company to take portions of its IT systems offline, leading to widespread delays in production and order processing.
Through its business continuity plans and the efforts of its employees, Clorox worked to restore operations and address distribution losses caused by the cyber-attack.
However, the aftermath of the attack proved challenging, as Clorox struggled to fully recover operations for weeks. The company reported ongoing disruptions to its supply chain, affecting product availability and financial performance.
A January 2024 SEC filing revealed expenses associated with the incident of $49m in the six months to December 31, 2023.
In October 2024, Clorox said in its annual report that it was reassessing some sustainability goals, including around plastic and waste reduction before 2030, in part blaming disruptions following the 2023 cyber-attack.
Before the attack, Cognizant had been Clorox’s IT service desk provider for over a decade, with the first Information Technology Services Agreement (ITSA) between the two companies signed in 2013.
In a statement sent to Infosecurity, Cognizant denied being responsible for the cyber-attack and highlighted that it did not manage the manufacturer's cybersecurity at the time it happened.
"It is shocking that a corporation the size of Clorox had such an inept internal cybersecurity system to mitigate this attack," a Cognizant spokesperson wrote.
"Clorox has tried to blame us for these failures, but the reality is that Clorox hired Cognizant for a narrow scope of help desk services which Cognizant reasonably performed.”
The article was update on July 23 to add Cognizant's response.
No tags.
