Cleaning products manufacturer Clorox fell victim to a Scattered Spider social engineering attack two years ago – it blames its IT helpdesk provider, Cognizant
IT services provider Cognizant is facing a multimillion-dollar lawsuit from one of its customers, which claims lax security procedures enabled the Scattered Spider hacking collective – blamed for the attacks on Marks & Spencer and Co-op Group – to access its systems by convincing a Cognizant helpdesk employee to reset a password.
The August 2023 incident saw business at Clorox – a household name in cleaning products in the US – badly disrupted after it was forced to suspend production and shipping in the wake of the social engineering attack. It is thought to have cost the organisation almost $400m.
In the lawsuit, filed in the California Superior Court, Clorox accused Cognizant of repeatedly giving a cyber criminal access to its network by handing them credentials without authenticating them or otherwise following basic cyber security processes.
“Cognizant provided the service desk that Clorox employees could contact when they needed password recovery or reset assistance,” said Clorox in its complaint. “Cognizant’s operation of the service desk came with a simple, common-sense requirement: never reset anyone’s credentials without properly authenticating them first. Clorox made this easy for Cognizant by providing them with straightforward procedures to follow.
“Despite assuring Clorox that it was following these procedures, Cognizant’s conduct on 11 August 2023 demonstrated spectacularly that it was failing to do so…. Cognizant’s failures resulted in a catastrophic cyber attack on Clorox.”
Clorox’s complaint alleges that on 11 August, Cognizant’s service desk received a call from a hacker requesting a reset of an individual’s password – this person is identified in the complaint as Employee 1 – for the Okta identity management tool.
It said the hacker told Cognizant they could not connect to the VPN without a password, following which the customer support agent “unilaterally” reset the password without questioning the caller or verifying their identity. It claimed this was in direct violation of its support procedures.
At this point, Clorox’s complaint continues, the hacker tried their luck again and asked for a reset of their Microsoft multifactor authentication (MFA). Again, it says, this was done without verification.
Cognizant – displaying a shocking level of incompetence – failed over and over at the most basic level and enabled a cyber criminal to gain a foothold in Clorox’s network
Clorox’s legal complaint against Cognizant
After conducting two follow-up calls to again reset Employee 1’s Okta and Microsoft passwords, the hacker then convinced Cognizant’s agent to reset the phone number Employee 1 used for SMS MFA.
Clorox said that at no point during all of this did Cognizant’s agent verify the caller was the right person, or follow any of its identity support procedures, which had been updated a few months earlier.
“Cognizant – displaying a shocking level of incompetence – failed over and over at the most basic level and enabled a cyber criminal to gain a foothold in Clorox’s network,” said the complainant.
The complaint goes on to detail how, having accessed its systems, Scattered Spider then targeted Employee 2, an individual working on Clorox’s cyber security team, and used the same playbook to reset that person’scredentials. This enabled the gang to elevate their privileges within Clorox’s IT systems, establish persistence and begin lateral movement.
Clorox said it detected the intrusion within three hours and took action to eject the hackers from its network, but not before being forced to pull the plug on multiple critical systems.
On the basis of these alleged failings, claims that Cognizant intentionally misled Clorox into believing its staff were trained on its policies and procedures, and additional claims of “ongoing incompetence” that allegedly impeded the incident response efforts, Clorox is seeking to recover $49m in direct remediation damages and $380m in total.
In a statement shared with Computer Weekly’s sister title Cybersecurity Dive, a Cognizant spokesperson said: “It is shocking that a corporation the size of Clorox had such an inept internal cyber security system to mitigate this attack.
“Clorox has tried to blame us for these failures, but the reality is that Clorox hired Cognizant for a narrow scope of helpdesk services, which Cognizant reasonably performed. Cognizant did not manage cyber security for Clorox.”
Timeline: Scattered Spider activity in 2025
22 April 2025: A cyber attack at M&S has caused significant disruption to customers, leaving them unable to make contactless payments or use click-and-collect services.
24 April: M&S is still unable to provide contactless payment or click-and-collect services amid a cyber attack that it says has forced it to move a number of processes offline to safeguard its customers, staff and business.
29 April: An infamous hacking collective may have been behind the ongoing cyber attack on M&S that has crippled systems at the retailer and left its ecommerce operation in disarray.
30 April: A developing cyber incident at Co-op has forced the retailer to pull the plug on some of its IT systems as it works to contain the attack.
1 May: Co-op tells staff to stop using their VPNs and be wary that their communications channels may be being monitored, as a cyber attack on the organisation continues to develop.
1 May: Harrods confirms it is the latest UK retailer to experience a cyber attack, shutting off a number of systems in an attempt to lessen the impact.
2 May: The National Cyber Security Centre confirms it is providing assistance to M&S, Co-op and Harrods as concerns grow among UK retailers.
7 May: No end is yet in sight for UK retailers subjected to apparent ransomware attacks.
13 May: M&S is instructing all of its customers to change their account passwords after a significant amount of data was stolen in a DragonForce ransomware attack.
20 May: Cold chain services provider Peter Green Chilled, which supplies the likes of Aldi, Sainsbury’s and Tesco, has been forced to halt operations after succumbing to a ransomware attack.
11 June: So-called Black Swan events expose the blind spots in even the most sophisticated forecasting models, signaling a need to rethink how businesses, and those investing in them, quantify and prepare for cyber risk.
13 June: The recent spate of cyber attacks on UK retailers has to be a wake-up call to build more cyber resilience into digital supply chains and fortify against social engineering attacks.
20 June: The UK’s Cyber Monitoring Centre has published its first in-depth assessment of a major incident, reflecting on the impact of and lessons learned from cyber attacks on M&S and Co-op.
27 June: Multiple reports are emerging of cyber attacks on airlines – Google Cloud’s Mandiant believes them to be linked.
2 July: Australian flag carrier Qantas is investigating significant data theft of personal information for up to 6 million customers after a third-party platform used by its call centre was compromised.
8 July: The government should extend ransomware reporting mandates to businesses to help gather more intelligence and better support victims, says M&S chairman Archie Norman.
9 July: Australian flag carrier begins notifying millions of individuals after a cyber attack on a call centre, confirming that while financial and passport details are safe, a significant volume of other personal information was compromised.
14 July: French luxury goods retailer LVMH has disclosed multiple cyber attacks in 2025 so far, and their impact is now spreading to the UK as a new incident affecting Louis Vuitton comes to light.
16 July: Microsoft warns users over notable evolutions in Scattered Spider's attack playbook, and beefs up some of the defensive capabilities it offers to customers in response.
16 July: Co-op chief executive Shirine Khoury-Haq has revealed that all the personal data of all 6.5 million of its members was compromised in the April 2025 cyber attack on its systems.
Read more on Data breach incident management and recovery
