The Clorox Company has filed a lawsuit against Cognizant Technology Solutions, alleging that the IT services company’s lax security practices directly enabled a major cyberattack that crippled Clorox’s operations in 2023, resulting in estimated damages of $380 million. Cognizant is a global IT services and consulting company founded in 1994 in Chennai, India, as an in-house technology unit of Dun & Bradstreet (they have since moved to the United States but still maintain 85% of their workforce in India).
The suit, filed this week in California Superior Court in Alameda County, accuses Cognizant of allowing threat actors to access Clorox’s internal systems by repeatedly failing to follow basic identity-verification protocols. According to court filings, attackers were able to gain access through Cognizant’s IT help desk simply by impersonating Clorox employees and requesting password resets—requests the help desk granted without proper verification.
Allegations of Negligent Security Practices
The attack, which occurred in August 2023, was widely attributed to the cybercriminal group known as Scattered Spider, infamous for its social engineering tactics. In this case, no sophisticated malware or exploits were reportedly used; instead, Clorox alleges that the breach stemmed from avoidable human error and failure to adhere to established security protocols. According to Clorox:
“The attackers didn’t need to be sophisticated. They merely called the Cognizant help desk, posed as Clorox employees, and were repeatedly given access to credentials – often without any meaningful verification.”
Clorox argues that Cognizant was contractually obligated to follow identity and authentication protocols but failed to provide even the most basic level of protection, such as verifying names, contact information, or authentication codes before granting access or resetting passwords.
Financial and Operational Fallout
The operational impact of the breach was severe. Clorox was forced to shut down key IT systems, suspend production lines, and halt or delay product shipments for weeks following the attack. The company estimates at least $50 million in direct remediation costs, with full financial losses—including lost revenue and long-term disruption—allegedly reaching $380 million.
This incident marked one of the most damaging cyberattacks on a U.S. consumer products company in recent years, raising alarm bells in both corporate and cybersecurity communities about the vulnerabilities introduced by outsourcing critical IT functions.
Cognizant’s Response
Cognizant has denied wrongdoing, stating in a recent filing that it fulfilled its obligations based on the “help desk-only” scope of its contract. The company maintains it was not responsible for overseeing Clorox’s broader enterprise cybersecurity strategy and thus cannot be held liable for the breach’s overall impact.
Cognizant spokesperson said in a statement,
“We take all issues of security seriously. This matter involves a sophisticated attack that exploited multiple external vectors, and we do not believe there is any merit to Clorox’s claims.”
However, Clorox contends that “sophistication” had little to do with the breach—the attack was only possible because Cognizant staff ignored core identity verification steps. Enclosed court exhibits reportedly include call transcripts and internal logs showing support agents resetting login credentials for unauthorized users without following standard policies.
Industry Ramifications
The lawsuit is poised to have lasting implications for companies that rely heavily on third-party IT vendors. Cybersecurity experts warn that while outsourcing can improve efficiency and scalability, it also introduces gaps in control and accountability—particularly when vendors are not adequately trained on customer-specific protocols or fail to prioritize security hygiene.
Kevin Mitropoulos, a cybersecurity analyst with Vigilant Systems, warned:
“The Clorox-Cognizant case highlights the risks of treating cybersecurity as someone else’s job. When critical access is given out over a phone call, you don’t need hackers—you just need someone who can lie convincingly.”
