Clorox sues Cognizant for USD 380 million over 2023 cyberattack

US-based household goods giant Clorox has reportedly filed a $380-million lawsuit against Cognizant Technology Solutions over a cyberattack that severely impacted its operations in August 2023.

The lawsuit, filed in a US federal court, alleges that Cognizant’s mishandling of help desk duties enabled a hacker to breach Clorox systems by resetting employee credentials without proper verification.

Also Read: Zuckerberg expected to testify in $8 billion Facebook privacy lawsuit

Operational disruption

According to the complaint, the breach reportedly disrupted Clorox’s corporate network, forced manufacturing halts, and derailed its supply chain, resulting in extensive financial losses.

The company reportedly claims more than $49 million was spent on remediation alone, while hundreds of millions were lost due to interrupted operations and unfulfilled orders.

Cybersecurity breach

Clorox reportedly entered into a support agreement with Cognizant in 2013, which included service desk and identity management responsibilities.

The complaint alleges that on August 11, 2023, a cybercriminal impersonating a Clorox employee contacted the Cognizant service desk and requested a password reset for Okta, an identity management tool Clorox used to verify network access.

The cybercriminal called the Cognizant service desk a second time, again masquerading as a Clorox employee. This led to a successful network access and, ultimately, a debilitating breach, Clorox alleged.

Also Read: Meta agrees to pay USD 25 million to settle Trump lawsuit after Jan 6 suspension

Clorox’s complaint

In its complaint, Clorox accused Cognizant of not only failing to follow security protocol but also worsening the situation through an inadequate incident response.

"The resulting cyberattack was debilitating. It paralysed Clorox's corporate network and crippled business operations. And to make matters worse, when Clorox called on Cognizant to provide incident response and disaster recovery support services, Cognizant botched its response and compounded the damage it already caused," Clorox said in its complaint.

The complaint also said that Cognizant operated the service desk for Clorox and provided IT support for Clorox employees, including employee credential recovery when needed.

Cognizant’s response

Cognizant has firmly denied all allegations, calling Clorox’s claims “shocking”.

In a strongly worded statement, a company spokesperson said, “It is shocking that a corporation the size of Clorox had such an inept internal cybersecurity system to mitigate this attack.”

The firm reportedly maintained that its responsibilities were limited to help desk services, which it had performed reasonably. It added that it had no role in managing Clorox’s overall cybersecurity systems.

“Clorox has tried to blame us for these failures, but the reality is that Clorox hired Cognizant for a narrow scope of help desk services which Cognizant reasonably performed. Cognizant did not manage cybersecurity for Clorox,” Cognizant said.

Also Read: ‘Apple illegally spies on workers’ personal devices, silences talk about pay’: Lawsuit

Unanswered questions

The timing of the lawsuit—almost two years after the breach—has raised questions. It remains unclear whether the delay stems from new findings or legal strategy.

Around the time of the attack, Clorox’s Chief Information Security Officer, Amy Bogac, stepped down. The company has not clarified if her departure was connected to any internal lapses at the time of the incident.