Clorox Files Lawsuit Against Cognizant Over Major Data Breach
In a significant legal move, Clorox has submitted a lawsuit against IT services provider Cognizant, alleging that insufficient cybersecurity measures contributed to a substantial data breach in 2023. Filed in California Superior Court, the suit claims that Cognizant’s failure to adhere to essential cybersecurity protocols allowed cybercriminals to infiltrate Clorox’s network. This breach not only disrupted Clorox’s manufacturing and distribution processes but also resulted in revenue losses and a lengthy recovery effort.
Impact of the Clorox Data Breach
In 2023, following the detection of a cyberattack, Clorox was compelled to take its IT systems offline. The ramifications were widespread and immediate: damaged IT infrastructure, slowed product shipments, and empty shelves nationwide for popular Clorox products like Pine-Sol and Burt’s Bees. For months, the company had to rely on manual order processing and made significant adjustments to its operations to endure.
As the situation unfolded, Clorox reported a 6% drop in sales volume due to supply chain delays and reduced shipment capabilities. The company invested $49 million in forensic investigations, recovery initiatives, and consulting services as part of its recovery strategy. Overall financial losses stemming from the breach are estimated to be in the hundreds of millions, not including potential damage to the company’s reputation.
Allegations Against Cognizant’s Help Desk
Central to Clorox’s lawsuit are serious accusations regarding the conduct of Cognizant’s help desk personnel. Legal documents reveal that attackers managed to call the help desk multiple times, successfully requesting password resets for Clorox employee accounts, including those with heightened access privileges, without undergoing adequate identity verification.
Despite established procedures that mandated the use of an internal identity verification system known as “MyID,” as well as additional verification through an employee’s manager and username, it is alleged that Cognizant’s help desk staff bypassed these critical safeguards.
The attackers impersonated Clorox employees, obtaining access to reset Okta and Microsoft credentials, disable multi-factor authentication (MFA), and even alter phone numbers linked to SMS-based login verifications—all without any identity confirmation being requested. Court transcripts indicate that the attackers made several calls on the same day, each time successfully acquiring credentials.
Mary Rose Alexander, Clorox’s outside counsel, criticized Cognizant’s actions sharply, stating, “Cognizant didn’t just drop the ball. They handed over the keys to Clorox’s corporate network to a notorious cybercriminal group in reckless disregard for Clorox’s policies and long-established cybersecurity standards. It’s all captured on call recordings, and it’s indefensible.”
Experts have consistently warned that help desks are vulnerable targets for cybercriminals, often because their customer service-oriented approach can lead to prioritizing easy access over strict security measures. Clorox argues that Cognizant not only ignored established procedures but also failed to notice clear warning signs, such as repeated requests for MFA resets from unauthorized users.
Fallout and Future Implications of the Clorox Cyberattack
As Clorox continues to recover from the cyberattack, the company’s latest earnings forecast for FY2025 indicates a slight decline in net sales, a reflection of ongoing repercussions from the breach, as well as broader macroeconomic and geopolitical challenges. Nonetheless, Clorox has received $100 million in insurance payouts linked to the incident and anticipates an increase in adjusted earnings per share of 13% to 19% compared to the previous year.
However, the implications of the Clorox data breach extend beyond financial metrics. This case raises crucial questions surrounding trust, accountability, and the often-blurred lines between internal processes and outsourced digital services.
For businesses that heavily depend on third-party vendors for IT support, the Clorox vs. Cognizant lawsuit serves as a serious reminder: oversight of vendor practices and cybersecurity cannot be treated as separate responsibilities. A vulnerable link in what may seem like routine support operations can jeopardize entire systems.
