Clorox Sues Cognizant for Inflicting 2023 Cyber-Assault

Clorox, a number one US producer of cleansing merchandise, is suing its former IT service desk supplier, London-based Cognizant, over the August 2023 cyber-attack.

The incident price the producer months of operational disruption and at the least $49 million in bills.

In a lawsuit filed within the California Superior Courtroom on July 22, Clorox accused Cognizant of being immediately liable for the hack.

The lawsuit claims that Cognizant did not observe Clorox’s password-reset protocols, uncared for important identification verification measures and enabled the attacker to achieve entry to the Clorox community.

Particularly, Cognizant is on tape handing over the keys to Clorox’s company community to the cybercriminal with out asking any authentication questions.

The cybercriminal then used these credentials, together with others obtained that very same day by way of comparable calls to the service desk, to assault Clorox.

Mary Rose Alexander, companion at Latham & Watkins and out of doors counsel for Clorox, commented: “Clorox entrusted Cognizant with the essential duty of safeguarding [its] company programs – and Cognizant failed miserably.”

She continued: “Cognizant didn’t simply drop the ball. They handed over the keys to Clorox’s company community to a infamous cybercriminal group in reckless disregard for Clorox’s insurance policies and long-established cybersecurity requirements. It’s all captured on name recordings, and it’s indefensible.”

The cleansing product producer is looking for $380 million in direct and compensatory damages, in addition to punitive damages.

Weeks of Enterprise Operation Halt and $49m of Damages for Clorox

On August 14, 2023, Clorox detected suspicious exercise in its IT programs, an incident that was escalated to a cyber-attack inside hours.

The assault compelled the corporate to take parts of its IT programs offline, resulting in widespread delays in manufacturing and order processing.

By means of its enterprise continuity plans and the efforts of its workers, Clorox labored to revive operations and tackle distribution losses brought on by the cyber-attack.

Nevertheless, the aftermath of the assault proved difficult, as Clorox struggled to fully recover operations for weeks. The corporate reported ongoing disruptions to its provide chain, affecting product availability and monetary efficiency.

A January 2024 SEC submitting revealed expenses associated with the incident of $49m within the six months to December 31, 2023.

In October 2024, Clorox mentioned in its annual report that it was reassessing some sustainability objectives, together with round plastic and waste discount earlier than 2030, partly blaming disruptions following the 2023 cyber-attack.

Earlier than the assault, Cognizant had been Clorox’s IT service desk supplier for over a decade, with the primary Data Expertise Providers Settlement (ITSA) between the 2 firms signed in 2013.

In a press release despatched to Infosecurity, Cognizant denied being liable for the cyber-attack and highlighted that it didn’t handle the producer’s cybersecurity on the time it occurred.

“It’s stunning {that a} company the scale of Clorox had such a clumsy inner cybersecurity system to mitigate this assault,” a Cognizant spokesperson wrote. 

“Clorox has tried guilty us for these failures, however the actuality is that Clorox employed Cognizant for a slim scope of assist desk companies which Cognizant fairly carried out.”

The article was replace on July 23 so as to add Cognizant’s response.