The Clorox Company has filed a comprehensive lawsuit against Cognizant Technology Solutions, seeking approximately $380 million in damages for a catastrophic cyberattack that occurred on August 11, 2023.
The complaint, filed in Alameda County Superior Court on July 22, 2025, alleges that Cognizant’s negligent handling of the company’s IT service desk directly enabled cybercriminals to infiltrate Clorox’s corporate network through a series of shocking security failures.
Service Desk Agents Handed Over Network Access
According to court documents, the cyberattack began when a cybercriminal simply called Cognizant’s service desk and requested password resets for Clorox employees.
Despite comprehensive credential support policies requiring proper authentication, Cognizant agents repeatedly provided network credentials without verifying the caller’s identity.
Transcripts included in the lawsuit reveal the stunning simplicity of the breach:
“Cybercriminal: I don’t have a password, so I can’t connect.
Cognizant Agent: Oh, ok. Ok. So let me provide the password to you, ok? Cybercriminal: Alright. Yep. Yeah, what’s the password? Cognizant Agent: Just a minute. So it starts with the word ‘Welcome…'”
The cybercriminal successfully obtained credentials for two Clorox employees through multiple phone calls, with agents resetting passwords, Microsoft Multi-Factor Authentication (MFA), Okta MFA, and SMS verification systems without following established protocols.
These credentials provided privileged access to Clorox’s Virtual Private Network (VPN) and identity management systems.
Technical Failures Compounded Security Breach
The lawsuit details how Cognizant agents violated multiple layers of cybersecurity protocols.
The company’s established procedures required directing users to the MyID self-reset verification tool or confirming identity through manager names and sending confirmation emails to both employees and supervisors.
None of these safeguards were implemented during the August 11 calls.
Furthermore, when one agent discovered “two MFA applications” under an employee’s account, she proactively offered to reset both Okta and Microsoft MFA systems without being asked.
The cybercriminal’s response was simply: “Yeah… reset both of them.”
This systematic failure allowed the attacker to establish persistence within Clorox’s network and move laterally through critical systems.
Legal Claims Target Contract Breaches and Gross Negligence
Clorox’s complaint includes four primary causes of action: breach of contract under their Information Technology Services Agreement (ITSA), breach of the covenant of good faith and fair dealing, gross negligence, and intentional misrepresentation.
The lawsuit alleges Cognizant repeatedly assured Clorox that service desk personnel were properly trained on credential support procedures, with a Service Desk Lead confirming in February 2023 that the team had been “Educated” on updated protocols.
The cyberattack forced Clorox to shut down manufacturing operations, implement manual order processing systems, and resulted in significant product shortages.
The company’s total damages include over $49 million in remedial costs and hundreds of millions in business interruption losses, while Cognizant reported $20 billion in revenue for 2024.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
%20(1).webp?resize=1600,900&ssl=1&description=The complaint, filed in Alameda County Superior Court on July 22, 2025, alleges that Cognizant's negligent handling of the company's IT service desk){kind=link}