Clorox sues tech vendor for simply giving passwords to Scattered Spider in 2023 hack

The Clorox company filed a lawsuit on Tuesday, identifying third-party technology provider Cognizant as the reason behind a 2023 hack that cost the bleach maker $380 million.

The lawsuit, filed in California State Court, claims that multiple Cognizant employees simply handed over their passwords to the hackers when asked, allowing the notorious ransomware gang to gain access to the network with ease.

The August 2023 attack on Clorox, carried out by the Scattered Spider ransomware group, caused widespread disruption to its operations and devastated its IT infrastructure, according to the lawsuit. Clorox claims the attack cost the American company $380 million in damages.

Scattered Spider, also responsible for a spate of attacks this spring on the UK retail sector, including Marks & Spencer, Harrods, and Co-op, is known for its sophisticated social engineering attacks.

Apparently, court documents seen by Reuters depict one of the conversations had between Scattered Spider and a Cognizant employee:

"I don't have a password, so I can't connect," the hacker says in one call. The agent replies, "Oh, OK. OK. So let me provide the password to you OK?" Reuters said.

Clorox had given the news outlet access to three partial transcripts allegedly showing other similar conversations with Cognizant support staff “in which the intruder asks to have passwords reset and the support staff complies without verifying who they are talking to.”

In another example, Reuters states the hackers actually pretended to “quiz” the Cognizant workers on their employee identification numbers or manager's name.

"Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques," the lawsuit states.

"The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox's network, and Cognizant handed the credentials right over," it said.

However, the company itself denies managing cybersecurity for Clorox.

"It is shocking that a corporation the size of Clorox had such an inept internal cybersecurity system to mitigate this attack," Cognizant said in a statement sent to Cybernews.

"Clorox has tried to blame us for these failures, but the reality is that Clorox hired Cognizant for a narrow scope of help desk services, which Cognizant reasonably performed. Cognizant did not manage cybersecurity for Clorox," the company said.

Cost of human error

The Russian-linked Scattered Spider gang has repeatedly infiltrated the most prominent companies due to human error, posing as IT help desk workers.

In the M&S hack, which also cost the company an estimated 400 million, the hackers used employee logins from a third-party IT consulting firm to infiltrate the system.

Also responsible for the weeks-long attacks on the MGM Grand and Caesars International in Las Vegas around the same time in 2023, Scattered Spider is said to have recently switched gears from retail to the aviation sector, and is suspected of the June attack on Hawaiian Airlines.

In the filing, Clorox attributes the majority of the $380 million loss to its inability to ship products to retailers in the wake of the hack, with $50 million tied to mitigation costs.

Clorox further said the restoration effort was hampered by “other failures by Cognizant's staff,” including failure to deactivate certain accounts and restore data, Reuters reported.

With an annual revenue of $7 billion in 2022, besides its own Clorox-branded cleaning products, the California-based retail giant produces brands such as Pine-Sol, Glad, Brita, Kingsford, Formula 409, and others.

Cognizant Technology Solutions Corporation is a multinational IT consulting and outsourcing company based out of New Jersey. It has roughly 350,000 global employees, with about a third based in India, where the company was originally founded, according to the company website.