Clorox is suing its former IT service desk provider, Cognizant, for $380 million, alleging direct responsibility for a costly August 2023 cyber-attack. The lawsuit claims Cognizant’s failure to follow proper protocols and identity verification led to hackers gaining access to Clorox’s corporate network, causing months of operational disruption and significant financial losses.
The lawsuit, filed on July 22 in California Superior Court, asserts that Cognizant directly enabled the cybercriminal to infiltrate Clorox’s systems.
Specifically, Clorox alleges that Cognizant’s service desk employees handed over network credentials without proper authentication, allowing the attacker to gain unauthorized access. This alleged negligence is supported by call recordings, demonstrating a severe lapse in cybersecurity protocols that Clorox had entrusted to Cognizant for over a decade. Clorox’s outside counsel, Mary Rose Alexander, emphasized that Cognizant’s actions were a “reckless disregard” for established cybersecurity standards.
The August 14, 2023 cyber-attack forced Clorox to take portions of its IT systems offline, leading to significant delays in production and order processing. Despite Clorox’s efforts to implement business continuity plans and restore operations, the impact proved to be widespread and prolonged. The company struggled to fully recover for weeks, experiencing ongoing disruptions to its supply chain, which affected both product availability and overall financial performance.
The financial toll of the cyber-attack on Clorox has been substantial. An SEC filing in January 2024 revealed expenses of $49 million incurred in the six months ending December 31, 2023, directly related to the incident. Furthermore, the long-term impact of the attack has extended beyond immediate financial costs, with Clorox stating in its October 2024 annual report that it was reassessing some sustainability goals, including plastic and waste reduction targets before 2030, partly due to the disruptions.
Clorox is seeking $380 million in direct and compensatory damages, in addition to punitive damages, underscoring the severity of the alleged breach of trust and negligence by Cognizant. This lawsuit highlights the critical importance of robust cybersecurity measures and stringent adherence to protocols, especially when third-party providers are entrusted with access to sensitive corporate systems. The outcome of this case could set a significant precedent for accountability in the realm of IT service provision and cybersecurity.
Reference:
