Clorox, the US-based maker of cleaning and disinfectant products, has filed a lawsuit against IT services provider Cognizant, alleging that gross negligence by its service desk staff enabled a major cyber-attack in August 2023 that severely disrupted the company’s operations.
According to a complaint filed in a California court and obtained by tech news site BleepingComputer, Clorox accuses Cognizant of failing to follow basic identity verification procedures when a hacker called its IT help desk impersonating an employee.
The attacker, allegedly linked to the Scattered Spider threat group, was able to convince Cognizant staff to reset both the employee’s password and multi-factor authentication (MFA) credentials without proper authentication.
This failure, the lawsuit claims, gave the attacker access to Clorox’s internal systems, including privileged accounts, and ultimately led to the paralysis of its corporate network, halted production, and widespread product shortages. Clorox is seeking $49 million in direct damages and $380 million in total compensation for lost sales and reputational harm.
Social engineering tactics
The attack took place on August 11, 2023. BleepingComputer reports that recordings cited in the legal filing show a cybercriminal calling Cognizant’s help desk multiple times, impersonating a Clorox employee and requesting password resets. The complaint alleges that the help desk agent did not follow Clorox’s established credential recovery procedures, failed to verify the caller’s identity, and did not notify the employee or their manager after the credentials were reset.
A second set of credentials was later reset for an employee in Clorox’s IT security team, again without verification, granting the attacker even broader access to the company’s infrastructure.
Cognizant, which provided IT service desk and identity management support to Clorox from 2013 to 2023, is also accused of mishandling the response to the incident. The complaint describes delays in containment, failure to shut down compromised accounts, and the deployment of “underqualified personnel” during the recovery effort.
“When Clorox called on Cognizant to provide incident response and disaster recovery support services, Cognizant botched its response and compounded the damage it had already caused,” the complaint states.
In a statement to BleepingComputer, Cognizant denied responsibility, stating:
“It is shocking that a corporation the size of Clorox had such an inept internal cybersecurity system to mitigate this attack. Clorox hired Cognizant for a narrow scope of help desk services which Cognizant reasonably performed. Cognizant did not manage cybersecurity for Clorox.”
Scattered Spider link
The cyberattack is part of a broader pattern of activity linked to Scattered Spider, a group known for highly targeted social engineering attacks.
The group has been connected to recent attacks on major UK retailers, including Marks & Spencer and the Co-op, where attackers similarly exploited help desks to bypass MFA protections and gain access to sensitive systems.
Such incidents highlight the increased vulnerability of third-party service providers, and the challenges organisations face in securing identity and access management against sophisticated social engineering techniques.
MFA “not sufficient”
While multi-factor authentication is a standard defensive control, cybersecurity experts warn that MFA can be undermined when human elements—like help desks—fail to enforce protocols.
Tarun Desikan, EVP of cloud edge security at SonicWall, said in comments shared with TI: “While multi-factor authentication is critical, it’s not bulletproof. Attackers now bypass MFA with sophisticated social engineering techniques. By integrating MFA with Zero Trust, the security changes to the assumption that attackers will get in—placing guardrails that limit damage and exposure when they inevitably do.”
SonicWall’s Tarun Desikan
He added: “Cybercriminals are relentless in developing new tactics, techniques, and procedures. This necessitates a proactive and flexible approach to cybersecurity, which includes adopting architectures like Zero Trust.”
The lawsuit adds to growing concerns across sectors about third-party cyber risk, especially when critical IT services are outsourced to external providers. The Clorox attack, attributed to a basic lapse in verification procedures, resulted in significant business interruption and reputational damage.
For Clorox, which sells products under brands such as Clorox, Pine-Sol, and Burt’s Bees, the financial fallout has been substantial. The incident also underscores the shifting threat landscape, where attackers increasingly focus on social engineering and lateral access via trusted vendors rather than exploiting traditional software vulnerabilities.