Bleach maker Clorox stated Tuesday that it has sued info know-how supplier Cognizant over a devastating 2023 cyberattack, alleging that the hackers pulled off the intrusion just by asking the tech firm’s workers for workers’ passwords.
Clorox was one in all a number of main corporations hit in August 2023 by the hacking group dubbed Scattered Spider, which focuses on tricking IT assist desks into handing over credentials after which utilizing that entry to lock them up for ransom.
The group is usually described as unusually subtle and protracted, however in a case filed in California state courtroom on Tuesday, Clorox stated one in all Scattered Spider’s hackers was in a position to repeatedly steal staff’ passwords just by asking for them.
“Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques,” in keeping with a replica of the lawsuit reviewed by Reuters. “The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox’s network, and Cognizant handed the credentials right over.”
Cognizant didn’t instantly return a message looking for touch upon the swimsuit, which was not instantly seen on the general public docket of the Superior Court docket of Alameda County. Clorox offered Reuters with a receipt for the lawsuit from the courtroom.
Three partial transcripts included within the lawsuit allegedly present conversations between the hacker and Cognizant assist workers through which the intruder asks to have passwords reset and the assist workers complies with out verifying who they’re speaking to, for instance by quizzing them on their worker identification quantity or their supervisor’s identify.
“I don’t have a password, so I can’t connect,” the hacker says in a single name. The agent replies, “Oh, ok. Ok. So let me provide the password to you ok?”
The 2023 hack brought on $380 million in damages, Clorox stated within the swimsuit, about $50 million of which have been tied to remedial prices and the remainder of which have been attributable to Clorox’s incapability to ship merchandise to retailers within the wake of the hack.
Clorox stated the clean-up was hampered by different failures by Cognizant’s workers, together with failure to de-activate sure accounts or correctly restore information.
