Following an enormous cyberattack in 2023, consumer goods giant Clorox has sued technology services provider Cognizant for $380 million, claiming egregious negligence. According to Clorox, Cognizant, which oversaw its identity management and IT service desk, allowed hackers to access corporate computers by heedlessly changing login passwords without conducting the necessary identity verification. Clorox’s business was halted for months as a result of this invasion, which was ascribed to the infamous hacker collective Scattered Spider.
Threat actors posing as Clorox employees called Cognizant’s support line in August 2023 and asked for password resets, triggering the cyber attack. The lawsuit claims that Cognizant workers neglected fundamental authentication procedures, giving the hackers access to password and multi-factor authentication resets, occasionally even for members of Clorox’s own IT security team. This caused extensive disruption by giving the attackers privileged access to the company’s internal network.
Clorox claims the consequences were catastrophic: manufacturing and supply chains were halted, orders to retailers were disrupted, and critical business systems remained offline for weeks. The firm says it incurred over $49 million in direct recovery and remediation expenses, on top of hundreds of millions in lost revenues due to product shortages and operational paralysis. The impact was so severe that Clorox had to process some orders manually and recover its systems gradually over several months.
The Details: The Way the Breach Occurred
Clorox accuses Cognizant’s help desk team of repeatedly resetting credentials for hackers without verifying their true identities. The attackers allegedly used simple social engineering—posing as legitimate employees—to exploit these lapses in protocol. The ease with which they obtained access sent shockwaves through the industry, illustrating just how vulnerable organizations remain to human error when basic cyber hygiene is overlooked.
Security experts note that, despite clear guidelines and contractual obligations, the help desk did not use Clorox’s defined tools for authentication, such as multi-factor identity checks or manager confirmation. Instead, the attackers succeeded on more than one occasion in getting both regular and privileged IT accounts reset, paving their way to deeper infiltration. These failures, claims Clorox, violated best practices and even breached the spirit of the companies’ long-standing IT partnership, which dated back to 2013.
To compound problems, Clorox’s lawsuit also alleges that Cognizant’s incident response and disaster recovery efforts were inadequate when the attack was discovered. The help desk reportedly failed to contain the breach quickly, delayed shutting down compromised accounts, and sent underqualified personnel to handle the critical recovery phase. Clorox’s leadership describes the resulting operational downtime as “crippling,” with substantial reputational and financial losses.
Cognizant Strikes Back: Denies All Responsibility
Facing these serious allegations, Cognizant has responded with forceful denials. In public statements, the IT firm has called Clorox’s claims “shocking” and accused the household product maker of scapegoating its technology partner to cover up its own cybersecurity shortcomings. According to Cognizant, its contractual role was restricted to service desk and basic IT support, not the overall cybersecurity management of Clorox’s systems.
A spokesperson for Cognizant stated that the company “reasonably performed” its duties in line with the limited scope of services requested and that Clorox is now “trying to blame us for failures that are their own.” Cognizant further argued that a corporation the size of Clorox should have had more robust internal controls to prevent this kind of incident and criticized the company’s cyber team as “inept.”
Cognizant’s representatives emphasized that the security breach was made possible by sophisticated social engineering rather than any technical failure and insisted that ultimate responsibility rested with Clorox’s own cyber defense protocols. They maintain that the company did not manage Clorox’s overall cybersecurity posture and only operated within narrowly defined contractual terms.
Broader Implications for Cybersecurity and Corporate Partnerships:
This high-profile clash between Clorox and Cognizant has ignited an industry-wide debate over responsibility and risk in outsourced technology partnerships. As more organizations rely on third-party IT vendors for critical operations, the boundaries between support roles and deep cybersecurity oversight become increasingly blurred.
The lawsuit brings into sharp focus the need for companies to implement rigorous verification protocols, even when dealing with trusted partners, and to foster a culture of continual cybersecurity training and vigilance. The apparent ease with which hackers penetrated Clorox’s systems highlights the persistent threat posed by social engineering, a tactic that has become the weapon of choice for many advanced cybercrime groups.
For Clorox, the legal battle represents a bid to recover massive financial losses and underscore the contractual obligations they believe were not met. For Cognizant, it is a fight to defend its reputation, clarify the limits of its responsibility, and push back against what it describes as unfair blame-shifting.
The example serves as a warning to businesses in all industries, reminding them that people and processes, rather than technology, are frequently the weakest link in the cybersecurity chain. Future conflicts between corporate clients and their IT service providers may be greatly affected by the outcome of the legal processes.
