Clorox Sues IT Providers Over 2023 Cyberattack

On Tuesday, Clorox announced it has filed a lawsuit against information technology providers, claiming they knew about the severe cyberattack in 2023. The crux of the issue seems to lie in how hackers managed to breach the system by merely requesting employees’ passwords from the tech staff.

In August 2023, the hacking group known as Spiders targeted several significant companies, and Clorox was among those affected.

This group is often described as quite sophisticated, though in its lawsuit, Clorox alleges that at least one of the hackers managed to repeatedly obtain passwords just by asking for them directly.

According to Clorox, “The hacker utilized simple tactics rather than complex methods.” They reportedly called the Cognizant Service Desk and requested credentials, which were then provided without much scrutiny.

As for Cognizant, they have yet to respond to requests for comments regarding the lawsuit, which was filed in a California courthouse. Clorox has shared receipts to prove the case’s existence.

The lawsuit also includes partial transcripts that depict conversations between the hackers and tech support. In these exchanges, attempts to reset passwords were made, and there appeared to be no verification, such as requiring employee IDs or manager names.

In one recorded interaction, a hacker states, “I can’t connect because I don’t have a password.” The agent responds, “Oh, okay. Let me provide you with your password.”

The impact of the 2023 attack was significant, with damages amounting to $380 million, which Clorox claims, includes $50 million in relief costs. The remaining amount reflects difficulties caused by the breach, particularly in shipping products to retailers.

Clorox further emphasized that failures by Cognizant staff, such as failing to activate necessary accounts and not restoring data correctly, hindered recovery efforts.