Help Desk Contractor Negligence in Question as Clorox Sues Cognizant Over Cyber Attack

The massive 2023 cyber attack on Clorox is raising some legal questions about help desk obligations, as the cleaning products giant is suing former contractor Cognizant for allegedly letting the attackers in the door.

Clorox asserts that Cognizant performed incompetently throughout the incident, not just in resetting a password for the attacker without following security protocols but also in follow-up containment and recovery. For its part, Cognizant is asserting that it was not even obligated to do anything but provide help desk services and that it provided those as specified.

Clorox presents transcript demonstrating help desk failure to challenge attackers

The cyber attack was the work of the “Scattered Spider” group during their notorious mid-late 2023 crime spree, which included a breach of MGM that crippled its casino operations for about a week. The group is infamous for its ability to social engineer its way through help desk calls, but the evidence Clorox presents in this case indicates that experience was not even necessary; Cognizant staff reset requested employee passwords upon simply being told that the attacker could not use their MFA because it was on an “old phone.”

The attacker called the help desk three times over the span of about two days, each time requesting a new employee password reset as they explored the Clorox network and discovered new credentials to target. Each time they were apparently handed the password with no additional security checks. Clorox also asserts that after it discovered that ransomware was being deployed against its network, about three hours after the attack began, Cognizant was responsible for a series of unusual delays that allowed the incident to get even more out of hand.

The specifics of Clorox’s claim allege breach of contract, breach of good faith and fair dealing, gross negligence, and intentional misrepresentation. The suit seeks compensation of $380 million in total (with $49 million in direct remediation). The cyber attack could end up having bigger ramifications for Cognizant, however, which has been making a major push into the defense and aerospace industries as of late with its acquisition of Belcan.

Handling of cyber attack could prove costly for Cognizant

More precise details about the contractual relationship between the two companies will likely come out in court, but from what information is available now it is hard to believe Cognizant’s claim that they were under no cybersecurity obligation beyond providing help desk bodies to answer calls. It certainly does not explain their seemingly deep involvement in the recovery process, to include sending personnel (who were rejected by Clorox for lacking necessary knowledge) on-site.

The two companies had a relationship for 10 years prior to the cyber attack, with apparently no previous incidents. Clorox’s filing claims that it regularly communicated with Cognizant, with weekly meetings to discuss new action items and any changes in procedure. Several months prior to the cyber attack Clorox had implemented an added layer of defense for this eventuality by introducing a self-reset tool called “MyID” that employees were to be directed to; the help desk was only supposed to directly initiate a password reset if employees could not access it for some reason, and were supposed to first collect the user’s MyID number and the name of a manager for verification.

At least judging by the transcript provided and what Clorox attested to in its filing, none of those things happened. The help desk employees simply reset the password immediately upon request with no further verification, with only the repeated lie about not being able to access MFA due to it being on an “old phone” to smooth things along. Cognizant will have its chance to defend itself in court, but the initial filings make it look like a critical and unacceptable failure to follow provided security procedure (and one that is very surprising for one of the world’s oldest and largest vendors of this nature).