Clorox Sues Cognizant After Hack Exposes Lapses in Identity Verification

Nate Anderson of Ars Technica reports on a major data breach due to lapses in identity verification at The Clorox Company that resulted in an estimated $380 million in damages.

Clorox filed a lawsuit in the Superior Court of California on July 22 against its IT services provider, Cognizant (The Clorox Company and Clorox Services Company v. Cognizant Worldwide Limited and Cognizant Technology Solutions).

The case raises significant questions about third-party liability and the boundaries of outsourced cybersecurity responsibilities.

Clorox contracted with Cognizant to manage its IT service desk, including password and multifactor authentication (MFA) support, from 2013 to 2023. The service desk was required to use Clorox’s internal MyID system for identity verification and notify relevant personnel after any reset.

According to Clorox, Cognizant offered repeated assurances that these protocols were being followed, but in August 2023, a cybercriminal bypassed all identity checks twice in one day by simply calling the help desk and posing as an employee.

Transcripts from the calls show service agents handing over passwords and resetting MFA with minimal scrutiny.

“Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques,” the lawsuit stated. “The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox’s network, and Cognizant handed the credentials right over.”

Clorox describes Cognizant’s actions as “devastating” and claims the company ignored training needs and internal policies.

Cognizant contends that it only performed help desk services within its limited scope and did not manage Clorox’s cybersecurity.

Attorneys representing clients with third-party service providers should assess the strength of those partnerships, particularly regarding cybersecurity. Contracts should clearly define security responsibilities and include audit rights, breach response protocols, and indemnification provisions.