Bleach maker Clorox has taken legal action against the tech company Cognizant, accusing it of helping hackers access Clorox’s network during a major cyberattack in 2023. The lawsuit claims that hackers connected to a group known as Scattered Spider easily tricked Cognizant’s support staff into handing over employee passwords by simply asking for them over the phone.
In August 2023, Clorox was one of several large companies targeted by Scattered Spider, a hacking group famous for deceiving IT help desks to get inside information. Instead of using high-tech hacking tools, the group relied on basic social tactics. According to court papers filed in California, one hacker called Cognizant’s service desk multiple times and was given access without any real verification — they weren’t asked to confirm important details like employee ID numbers or managers’ names.
Clorox says this lack of caution led to a breach that caused roughly $380 million in damages. About $50 million of that amount went to fixing the problems, while the rest came from Clorox’s struggles to ship products after the attack disrupted their operations. The lawsuit also points to other mistakes by Cognizant’s team, such as failing to deactivate accounts or properly restore lost data, which made the recovery harder.
Cognizant responded by saying it only provided limited help desk services to Clorox and did not manage its cybersecurity. They stressed that they fulfilled the narrow role they were hired for and pushed back on being blamed for the breach.
Security expert Maxie Reynolds, who studies social engineering attacks but isn’t involved in the case, noted that what happened isn’t unusual. She said hackers often try simple tactics that work, and if a company hands over passwords without checking who’s asking, it can be considered negligence.
The legal case is unfolding quietly, with the complaint filed in Alameda County but not yet widely posted online. Clorox provided a court receipt to confirm the suit’s existence.
This incident highlights how even the biggest companies can fall victim when basic security steps are overlooked. It shows that cyberattacks don’t always require sophisticated hacks — sometimes just asking the right questions at the right time is enough to cause major damage.