Bleach maker Clorox said Tuesday that it has sued information technology provider Cognizant over a devastating 2023 cyberattack, alleging that the hackers pulled off the intrusion just by asking the tech company’s staff for workers’ passwords.
Clorox was considered one of several major firms hit in August 2023 by the hacking group dubbed Scattered Spider, which focuses on tricking IT help desks into handing over credentials after which using that access to lock them up for ransom.
The group is commonly described as unusually sophisticated and protracted, but in a case filed in California state court on Tuesday, Clorox said considered one of Scattered Spider’s hackers was capable of repeatedly steal employees’ passwords just by asking for them.
“Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques,” in accordance with a copy of the lawsuit reviewed by Reuters. “The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox’s network, and Cognizant handed the credentials right over.”
Cognizant didn’t immediately return a message looking for comment on the suit, which was not immediately visible on the general public docket of the Superior Court of Alameda County. Clorox provided Reuters with a receipt for the lawsuit from the court.
Three partial transcripts included within the lawsuit allegedly show conversations between the hacker and Cognizant support staff wherein the intruder asks to have passwords reset and the support staff complies without verifying who they’re talking to, for instance by quizzing them on their worker identification number or their manager’s name.
“I don’t have a password, so I can’t connect,” the hacker says in a single call. The agent replies, “Oh, okay. Okay. So let me provide the password to you okay?”
The 2023 hack caused $380 million in damages, Clorox said within the suit, about $50 million of which were tied to remedial costs and the remainder of which were attributable to Clorox’s inability to ship products to retailers within the wake of the hack.
Clorox said the clean-up was hampered by other failures by Cognizant’s staff, including failure to de-activate certain accounts or properly restore data.
