Clorox is accusing IT services firm Cognizant of letting hackers into their corporate systems simply by giving them the passwords when asked.

The multinational company known for its cleaning and disinfecting products is suing Cognizant for $380 million for its singular role in a cyberattack by the notorious Scattered Spider threat group almost three years ago. It is also seeking punitive damages.

In the complaint filed this week in Alameda County Superior Court in California, Clorox claims the failure by Cognizant’s helpdesk in following basic cybersecurity procedures “resulted in a catastrophic cyberattack” on the company in August 2023.

“Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques,” the company says in its partially redacted 19-page complaint. “The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox’s network, and Cognizant handed the credentials right over. Cognizant is on tape handing over the keys to Clorox’s corporate network to the cybercriminal – no authentication questions asked.”

According to the lawsuit, Clorox says it used Cognizant – “a self-proclaimed leader in digital and cybersecurity services” – for several roles, including what the company said was a task that was “as critical as it was fundamental: Cognizant helped guard the proverbial front door.”

Employees could contact the Cognizant service desk when they needed help recovering or resetting a password. A key instruction to service desk operators was that they never reset a credential without properly authenticating the person asking. Clorox says it provided the operators with “straightforward procedures” they needed to follow in such situations.

Clorox: Procedures Not Followed

The procedures included steering anyone seeking a password reset to MyID, Clorox’s verification and self-reset password tool. If MyID wasn’t available, the Cognizant agent needed to verify the employee’s identity through the person’s manager’s name and MyID user name before resetting the password. Afterwards, the agent was to send confirmation emails to the employee’s Clorox email and to the relevant manager.

Cognizant repeatedly told Clorox that the service desk was following those procedures, but the corporation said that on August 11, 2023, its conduct “demonstrated spectacularly that it was failing to do so.”

The threat actors made multiple calls to the Cognizant help desk, essentially asking for new passwords and getting them without any effort to verify them, Clorox wrote. They then used those new credentials to gain access to the corporate network, launching a “debilitating” attack that “paralyzed Clorox’s corporate network and crippled business operations. And to make matters worse, when Clorox called on Cognizant to provide incident response and disaster recovery support services, Cognizant botched its response and compounded the damage it had already caused.”

In statement to media outlets, a Cognizant spokesperson said it was “shocking that a corporation the size of Clorox had such an inept internal cybersecurity system to mitigate this attack.”

While Clorox is placing the blame on Cognizant, “the reality is that Clorox hired Cognizant for a narrow scope of help desk services which Cognizant reasonably performed. Cognizant did not manage cybersecurity for Clorox,” the spokesperson said.

Missing the Point

Rom Carmel, co-founder and CEO of just-in-time access company Apono, told Security Boulevard that “Cognizant’s claim that they did not manage cybersecurity for Clorox misses the mark, especially in the cloud era, where identity is at the center of cybersecurity. Every cloud identity is inherently privileged. A single compromised identity can give attackers free rein to move laterally and inflict massive damage, running into hundreds of millions.”

Scattered Spider and similar threat actors exploit social engineering and help‑desk trust to take control of over‑privileged accounts.

“That a help desk allegedly failed to verify a user highlights why layered security is essential,” Carmel said. “Authentication alone is not enough.”

That said, “organizations must reduce both attack surface and blast radius by eliminating standing access and rolling back excessive privileges,” he said. “Limiting access to the narrow windows when it’s truly needed ensures breaches do far less damage.”

Passwords and More

The Scattered Spider hackers were able to not only get password resets through the Cognizant service desk but also other credentials, including phone number changes for text authentication and multifactor authentication (MFA) resets, according to the complaint.

Clorox also obtained recordings of interactions between Cognizant employees and the attackers, including one in which the cybercriminal says, “I don’t have a password, so I can’t connect.” The Cognizant says, “Oh, ok. Ok. So let me provide the password to you, ok?” and then gives them a new password.

As a digital and security provider, Cognizant knew of the critical role the service desk plays in protecting companies from cyberattacks and that training operators for the work is crucial, Clorox wrote.

Winners and Losers

The massive company, with almost $7.1 billion in net sales in FY 2024 and about 8,000 employees worldwide, said the cyberattack cost it about $380 million in damages, which included more than $49 million to fix the damage and hundreds of millions of dollars in lost business. The attack hurt its ability to ship orders to retailers, which meant not having products on store shelves.

Clorox also noted that Cognizant ended 2024 with $20 billion in revenue, saying that “while the Cyberattack paralyzed Clorox’s network and crippled its business operations, Cognizant’s reputation and profits have gone untarnished.”

In reporting FY 2024 results a year later, Clorox CEO Linda Rendle said in a statement that the company was able to expand its margins and saw other growth “despite substantial disruption and consumption loss from the cyberattack.”

By then, the company had fully restored its supply and distribution operations and recovered most of its market share, Rendle said.

Scattered Spider’s Long Reach

Scattered Spider has been around since 2022. It’s a group also known as UNC3944, Octo Tempest, Scatter Swine, and Star Fraud that reportedly comprises members located in North America and the UK and makes a name for itself by attacking particular industries one at a time, including hospitality, technology, and telecommunications.

This year, the group has targeted the retail, insurance and insurance sectors.

Darktrace researchers noted Scattered Spider’s evolving nature, recently using ransomware-as-a-service (RaaS) platforms along with its social engineering and SIM-swapping attacks.

“This adoption [of RaaS] reflects a shift toward more scalable attacks with a lower barrier to entry, allowing the group to carry out sophisticated ransomware attacks without the need to develop it themselves,” Darktrace researchers wrote in a blog post today. “The ongoing changes in tactics used by Scattered Spider, reliance on LOTL [living off the land] techniques, and continued adoption of evolving RaaS providers like DragonForce make it harder for organizations and their security teams to prepare their defenses against such attacks.”

Law enforcement is fighting back. In November 2024, U.S. prosecutors pressed charges against five people suspected of being part of the threat group, while counterparts in the U.K. arrested four people earlier this month.