Clorox, a well-known manufacturer of everyday household products ranging from lip balm to cat litter, has taken legal action against Cognizant, the massive IT services company responsible for managing its service desk operations. According to the lawsuit recently filed in California state courts, the breach that resulted in a reported $380 million in damages was not Clorox’s fault, but rather the failure of Cognizant to implement even the most basic security protocols. The incident, detailed in a report by Ars Technica, demonstrates how cybercriminals can exploit a lack of proper verification by simply calling the IT service desk and requesting access to the company’s network without any form of authentication.
The report outlines how attackers, under the guise of an employee, were able to request password resets and multifactor authentication resets from Cognizant’s Service Desk, which then provided these credentials without any verification. This allowed the attackers to gain access to Clorox’s network and subsequently plant ransomware or exfiltrate data, resulting in significant damage. Clorox’s lawsuit claims that Cognizant was not deceived by any sophisticated ploy, but rather handed the keys to the corporate network to the cybercriminal, highlighting the company’s lack of care and inadequate employee training. The legal action seeks compensation for the damages incurred from weeks of disruption to Clorox’s factories and ordering systems.
The case highlights a critical vulnerability in business practices, particularly in outsourcing critical IT functions to third-party vendors. Clorox’s lawsuit not only points out the failure of Cognizant but also serves as a warning to other companies about the importance of stringent security protocols and proper training for their IT vendors. The report emphasizes that the breach was not due to any complex hacking techniques but was instead a result of a fundamental oversight in the company’s security procedures by the vendor. This incident underscores the need for greater accountability and oversight in how businesses manage their digital security, especially when outsourcing critical operational functions.