Hacking
Clorox is suing IT provider Cognizant, alleging a £300 million cyberattack in 2023 happened because hackers simply asked Cognizant staff for employee login details over the phone. Pixabay

A phone rings at an IT help desk. The caller needs a password reset. No questions asked, the support agent obliges: 'Let me provide the password to you, OK?' That brief exchange allegedly cost staggering $380 million (£280.53 million).

The bleach manufacturer, Clorox has launched legal action against IT provider Cognizant, claiming the devastating 2023 cyberattack succeeded because help desk staff handed over employee passwords to hackers who did nothing more sophisticated than pick up the phone and ask.

The court documents filed in California on Tuesday reveal how the notorious hacking group Scattered Spider allegedly breached one of America's biggest consumer goods companies without using a single line of malicious code. They just rang the help desk.

The Superior Court of Alameda County will now determine whether 'reasonably performed' includes giving passwords to anyone who rings up and asks nicely.

The $380M (£280.53 million) Cyberattack

In August 2023, Clorox was one of several major companies targeted by the hacking group known as Scattered Spider.

According to a report by America's Cyber Defence Agency, this group specialises in deceiving IT help desk personnel to gain credentials, which they then use to lock up systems for ransom.

The August 2023 breach paralysed Clorox's operations for months. Here's where the money went:

  • £36.91 million on direct recovery costs
  • £243.62 million in lost revenue as factories sat idle
  • Untold reputational damage as products vanished from supermarket shelves

The attack crippled Clorox's ability to manufacture and ship products to retailers across America. Empty shelves where Clorox bleach and cleaning products should have been became a visible reminder of how a simple security lapse can bring a corporate giant to its knees.

How the Breach Unfolded

While Scattered Spider is often described as highly sophisticated and persistent, Clorox's lawsuit, filed in a California state court on Tuesday, claims that one of their hackers repeatedly obtained employee passwords simply by asking for them.

According to the lawsuit, a copy of which Reuters reviewed, 'Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques. The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox's network, and Cognizant handed the credentials right over.'

Cognizant's Response

In an emailed statement, Cognizant pushed back against the claims, asserting it was not responsible for Clorox's overall cybersecurity. The company stated it was only contracted for limited help desk services.

'Clorox has tried to blame us for these failures, but the reality is that Clorox hired Cognizant for a narrow scope of help desk services, which Cognizant reasonably performed,' Cognizant said.

The lawsuit wasn't immediately visible on the public records of the Superior Court of Alameda County. However, Clorox did provide Reuters with a court receipt for the filing.

The lawsuit includes three partial transcripts, which purportedly show conversations between the hacker and Cognizant support staff. In these exchanges, the intruder requests password resets, and the support staff complies without verifying their identity, for instance, by asking for an employee identification number or a manager's name.

Beyond Sophistication

In one call, the hacker says, 'I don't have a password, so I can't connect.' The agent's response: 'Oh, OK. OK. So let me provide the password to you, OK?'

The hacker getting what they wanted without breaking a sweat didn't necessarily mean they lacked skill, according to Maxie Reynolds, a security expert focused on social engineering, who is not involved in the case. She commented, 'They just tried what typically works.'

No security questions. No identity verification. No request for an employee number or manager's name. Just immediate compliance.

These weren't isolated incidents. According to Clorox's legal filing, hackers 'repeatedly obtained employee passwords simply by asking for them.' The transcripts show support staff resetting passwords and granting access without following basic security protocols that any first-year IT student would recognise as essential.

The Cost of the Incident

According to Reynolds, the full transcripts were needed for a fair evaluation of the 2023 incident. However, she pointed out that 'if all they had to do was call and ask straight out, that's not social engineering and it is negligence/non-fulfilment of duty.'

The 2023 hack at Clorox resulted in $380 million (£280.53 million) in damages, according to the lawsuit. Roughly $50 million (£36.91 million) of this was linked to recovery expenses, with the remaining amount attributed to Clorox's inability to ship products to retailers following the breach.

Clorox attributed the incompletion of the clean-up to other shortcomings from Cognizant's staff, including their failure to deactivate certain accounts or properly restore data.

As this case heads to court, it poses fundamental questions about responsibility in the age of outsourced IT services. When you entrust another company with your help desk, who's accountable when that help desk helps hackers instead?

Writer's pick
Cybersecurity Cyberattack