IT services provider Cognizant is facing a multimillion-dollar lawsuit from one of its customers, which claims lax security procedures enabled the Scattered Spider hacking collective – blamed for the attacks on Marks & Spencer and Co-op Group – to access its systems by convincing a Cognizant helpdesk employee to reset a password.
The August 2023 incident saw business at Clorox – a household name in cleaning products in the US – badly disrupted after it was forced to suspend production and shipping in the wake of the social engineering attack. It is thought to have cost the organisation almost $400m.
In the lawsuit, filed in the California Superior Court, Clorox accused Cognizant of repeatedly giving a cyber criminal access to its network by handing them credentials without authenticating them or otherwise following basic cyber security processes.
“Cognizant provided the service desk that Clorox employees could contact when they needed password recovery or reset assistance,” said Clorox in its complaint. “Cognizant’s operation of the service desk came with a simple, common-sense requirement: never reset anyone’s credentials without properly authenticating them first. Clorox made this easy for Cognizant by providing them with straightforward procedures to follow.
“Despite assuring Clorox that it was following these procedures, Cognizant’s conduct on 11 August 2023 demonstrated spectacularly that it was failing to do so…. Cognizant’s failures resulted in a catastrophic cyber attack on Clorox.”
Clorox’s complaint alleges that on 11 August, Cognizant’s service desk received a call from a hacker requesting a reset of an individual’s password – this person is identified in the complaint as Employee 1 – for the Okta identity management tool.
It said the hacker told Cognizant they could not connect to the VPN without a password, following which the customer support agent “unilaterally” reset the password without questioning the caller or verifying their identity. It claimed this was in direct violation of its support procedures.
At this point, Clorox’s complaint continues, the hacker tried their luck again and asked for a reset of their Microsoft multifactor authentication (MFA). Again, it says, this was done without verification.
Cognizant – displaying a shocking level of incompetence – failed over and over at the most basic level and enabled a cyber criminal to gain a foothold in Clorox’s network Clorox’s legal complaint against Cognizant
After conducting two follow-up calls to again reset Employee 1’s Okta and Microsoft passwords, the hacker then convinced Cognizant’s agent to reset the phone number Employee 1 used for SMS MFA.
Clorox said that at no point during all of this did Cognizant’s agent verify the caller was the right person, or follow any of its identity support procedures, which had been updated a few months earlier.
“Cognizant – displaying a shocking level of incompetence – failed over and over at the most basic level and enabled a cyber criminal to gain a foothold in Clorox’s network,” said the complainant.
The complaint goes on to detail how, having accessed its systems, Scattered Spider then targeted Employee 2, an individual working on Clorox’s cyber security team, and used the same playbook to reset that person’scredentials. This enabled the gang to elevate their privileges within Clorox’s IT systems, establish persistence and begin lateral movement.
Clorox said it detected the intrusion within three hours and took action to eject the hackers from its network, but not before being forced to pull the plug on multiple critical systems.
On the basis of these alleged failings, claims that Cognizant intentionally misled Clorox into believing its staff were trained on its policies and procedures, and additional claims of “ongoing incompetence” that allegedly impeded the incident response efforts, Clorox is seeking to recover $49m in direct remediation damages and $380m in total.
In a statement shared with Computer Weekly’s sister title Cybersecurity Dive, a Cognizant spokesperson said: “It is shocking that a corporation the size of Clorox had such an inept internal cyber security system to mitigate this attack.
“Clorox has tried to blame us for these failures, but the reality is that Clorox hired Cognizant for a narrow scope of helpdesk services, which Cognizant reasonably performed. Cognizant did not manage cyber security for Clorox.”
