Clorox Sues Cognizant For Allegedly Providing Network Credentials Without Authentication

Clorox is suing its longtime solution provider Cognizant, alleging it allowed a cybercriminal to enter its network by providing the needed credentials over the phone without authenticating who the caller was—resulting in what it calls a ‘catastrophic cyberattack.’

Clorox, best known for manufacturing bleach and other cleaning supplies, has sued Cognizant Worldwide and Cognizant Technology Solutions U.S., a large global IT service provider based in Teaneck, N.J.

Clorox, Oakland, Calif., Tuesday filed a lawsuit alleging that Cognizant, ranked No. 7 on the CRN 2025 Solution Provider 500, allowed a cybercriminal to enter Clorox’s network by providing the needed credentials over the phone without authenticating who the caller was.

Clorox, in its lawsuit filed Tuesday in the Superior Court of California, County of Alameda, said that it has trusted Cognizant for over a decade to “play critical roles in Clorox’s cyber environment.” Clorox alleged that Cognizant, despite being provided “straight-forward procedures” to properly authenticate employees who called its Cognizant-operated service desk to reset their credentials, failed to do so, resulting in a “catastrophic cyberattack” on the company.

“Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques. The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox’s network, and Cognizant handed the credentials right over. Cognizant is on tape handing over the keys to Clorox’s corporate network to the cybercriminal—no authentication questions asked,” Clorox alleged in the lawsuit.

The hacker collective Scattered Spider is suspected of being involved in the cyberattack, according to multiple reports.

Clorox, in a statement emailed to CRN in response to a request for more information, wrote that Cognizant’s “failures and actions directly caused the August 2023 cyberattack and the significant disruptions to The Clorox Company’s business operations.”

Clorox, in the statement, said the company is seeking $380 million in direct and compensatory damages in addition to punitive damages resulting from “Cognizant’s incompetence and disregard for Clorox’s password policies and basic cybersecurity standards” that caused the August 2023 attack.

Mary Rose Alexander, outside counsel for The Clorox Company and partner at Latham & Watkins, said in the statement that “Clorox entrusted Cognizant with the critical responsibility of safeguarding Clorox’s corporate systems—and Cognizant failed miserably. Cognizant didn’t just drop the ball. They handed over the keys to Clorox’s corporate network to a notorious cybercriminal group in reckless disregard for Clorox’s policies and long-established cybersecurity standards. It’s all captured on call recordings, and it’s indefensible.”

Jeff DeMarrais, Cognizant’s senior vice president of global marketing and chief communications officer, wrote in response to an emailed request from CRN for more information that it was Clorox’s own security practices that were lax.

“It is shocking that a corporation the size of Clorox had such an inept internal cybersecurity system to mitigate this attack. Clorox has tried to blame us for these failures, but the reality is that Clorox hired Cognizant for a narrow scope of help desk services which Cognizant reasonably performed. Cognizant did not manage cybersecurity for Clorox,” DeMarrais wrote.

Clorox has asked for a jury trial.