Clorox has launched a major legal action in California Superior Court, seeking $380 million in damages from technology services firm Cognizant. The consumer goods manufacturer claims the breach, which occurred in August 2023, stemmed from serious lapses in Cognizant’s help desk authentication processes.
According to Clorox, Cognizant service desk agents reset employee Okta passwords for individuals posing as Clorox staff, without performing identity verification. The lawsuit states these actions allowed hackers to penetrate the company’s systems, disrupt manufacturing operations, and halt order processing. The incident reportedly caused at least $49 million in direct remediation expenses, alongside broader financial losses tied to prolonged operational downtime.
The complaint identifies the attacker as a member of the hacking collective known as Scattered Spider. Court documents allege that the hacker successfully persuaded Cognizant’s help desk to process multiple password resets and disable multi-factor authentication. These steps were allegedly taken without security questions, managerial approval, or any alert to Clorox’s internal security teams.
Mary Rose Alexander, lead counsel for Clorox from Latham & Watkins, said the case highlights a complete breakdown in trust. “Clorox entrusted Cognizant with the critical responsibility of safeguarding its corporate systems, and Cognizant failed miserably,” Alexander stated. She added that the service provider not only neglected its duties but acted in reckless disregard of established policies.
Cognizant has firmly denied liability. In its response, the company asserted that its contractual role was confined to help desk support, not comprehensive cybersecurity management. It claimed that Clorox maintained its own security systems, which it argues were insufficient. Cognizant further maintained that it met its obligations within the narrow scope of services agreed upon in the contract.
Clorox is pursuing both compensatory and punitive damages, citing breach of contract, gross negligence, and intentional misrepresentation. Legal experts note that the outcome of this case could influence future agreements between corporations and their third-party IT service providers, particularly around security responsibilities and incident response protocols.
This dispute underscores growing concerns over supply chain and vendor-related cybersecurity risks. As companies increasingly rely on outside service providers for key IT functions, lapses in third-party processes can have devastating consequences. The Clorox–Cognizant case may set a precedent on how courts assess accountability when breaches occur through contracted support channels.
Meta Description:
Keywords: Clorox lawsuit, Cognizant cybersecurity breach, Scattered Spider hacking group, Okta password reset failure, multi-factor authentication bypass, third-party security risk, California Superior Court, corporate data breach lawsuit, IT vendor accountability, operational disruption damages
