Clorox sues Cognizant over $380 Million ransomware breach

Clorox has filed a lawsuit against its IT provider, Cognizant, alleging that the company’s service desk handed login credentials to hackers posing as employees. 

What happened

In August 2023, hackers from the group Scattered Spider infiltrated Clorox’s network using credentials allegedly provided by Cognizant service desk employees without proper identity verification. Clorox claims that Cognizant failed to follow its own security protocols when handling requests from individuals claiming to be employees locked out of their accounts.

Cognizant manages Clorox’s internal IT systems, including password resets, multi-factor authentication (MFA), and VPN access. According to the lawsuit, the company’s policies require employees to first use a self-service password reset tool. If that is not possible, Cognizant employees must verify a user’s identity by asking for details such as their manager’s name and username. A reset notification would then be emailed to the employee and their manager for added security.

Instead, the lawsuit claims, Cognizant staff provided credentials over the phone without any verification, allowing hackers to bypass MFA protections and access sensitive systems.

Going deeper

• A partial transcript of one call included in the lawsuit shows an alleged hacker stating: “I don’t have a password, so I can’t connect.” The Cognizant employee allegedly replied: “Oh, ok. Ok. So, let me provide the password to you, okay?”
• Clorox alleges this lack of due diligence directly allowed Scattered Spider to deploy ransomware.
• The attack disrupted Clorox’s manufacturing and distribution capabilities, leading to significant product shortages and losses in the following months.

What was said

“Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques,” the Clorox vs Cognizant lawsuit states. “The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox’s network, and Cognizant handed the credentials right over.”

Why it matters

Human error is one of the biggest threats to cybersecurity. Social engineering attacks, where hackers pose as legitimate users, are among the simplest yet most effective tactics. Even organizations with strong technical safeguards can face catastrophic breaches if verification procedures are ignored.

For healthcare organizations and HIPAA-covered entities, similar lapses could lead not only to operational and financial losses but also to severe regulatory penalties for impermissible disclosures of protected health information (PHI).

Related: 

• When is a non-healthcare company a covered entity?
• The social engineering threat to cybersecurity

FAQs

How can social engineering attacks be identified?

Suspicious or unexpected requests for sensitive information, unusual communication methods, and signs of urgency or pressure from unknown sources can identify social engineering attacks.

Does HIPAA apply to all healthcare providers?

Yes, HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. These entities are directly responsible for complying with HIPAA regulations.

Can Paubox assist with HIPAA compliance? 

Yes, Paubox can assist covered entities and their business associates with HIPAA compliance efforts by providing HIPAA compliant email and text messaging encryption and security solutions.