Clorox accuses IT provider in lawsuit of giving hackers employee passwords
Clorox was one of several major companies hit in August 2023 by the hacking group dubbed Scattered Spider, which specializes in tricking IT help desks into handing over credentials and then using that access to lock them up for ransom.
The group is often described as unusually sophisticated and persistent, but in a case filed in California state court on Tuesday, Clorox said one of Scattered Spider's hackers was able to repeatedly steal employees' passwords simply by asking for them.
"Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques," according to a copy of the lawsuit reviewed by Reuters. "The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox's network, and Cognizant handed the credentials right over."
Cognizant, in an emailed statement, pushed back, saying it did not manage cybersecurity for Clorox and it was only hired for limited help desk services.
"Clorox has tried to blame us for these failures, but the reality is that Clorox hired Cognizant for a narrow scope of help desk services which Cognizant reasonably performed," Cognizant said.
The suit was not immediately visible on the public docket of the Superior Court of Alameda County. Clorox provided Reuters with a receipt for the lawsuit from the court.
Three partial transcripts included in the lawsuit allegedly show conversations between the hacker and Cognizant support staff in which the intruder asks to have passwords reset and the support staff complies without verifying who they are talking to, for example by quizzing them on their employee identification number or their manager's name.
"I don't have a password, so I can't connect," the hacker says in one call. The agent replies, "Oh, OK. OK. So let me provide the password to you OK?"
The apparent ease with which the hackers got what they wanted wasn't necessarily an indication that they weren't skilled, said Maxie Reynolds, a security expert who has specialized in social engineering and is not a party to the case.
"They just tried what typically works," she said.
Reynolds said the full transcripts were needed to offer a fair evaluation of what happened in 2023 but said that, "if all they had to do was call and ask straight out, that's not social engineering and it is negligence/non-fulfillment of duty."
The 2023 hack at Clorox caused $380 million in damages, the suit said, about $50 million of which was tied to remedial costs and the rest attributable to Clorox's inability to ship products to retailers in the wake of the hack.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
CNA
5 hours ago
- CNA
Trump fires BLS commissioner, raising concerns about economic data quality
WASHINGTON: United States President Donald Trump fired the Labor Department's Bureau of Labor Statistics (BLS) Commissioner Erika McEntarfer on Friday (Aug 1) after data showed weaker-than-expected employment growth in July and massive downward revisions to the prior two months' job counts. Trump accused McEntarfer, who was appointed by former president Joe Biden, of faking the jobs numbers. There is no evidence to back Trump's claims of data manipulation by the BLS, the statistical agency that compiles the closely watched employment report, as well as consumer and producer price data. The US economy created only 73,000 jobs in July. Data for May and June were revised sharply down to show 258,000 fewer jobs created than had been previously reported. "We need accurate Jobs Numbers. I have directed my Team to fire this Biden Political Appointee, IMMEDIATELY. She will be replaced with someone much more competent and qualified," Trump said in a post on Truth Social. The BLS did not immediately respond to a request for comment. William Wiatrowski, the deputy commissioner, will serve as acting commissioner. The Trump administration's recent mass layoffs of federal government workers have raised concerns about the quality of US economic data, long seen as the gold standard. Economists, labour unions and Democratic Party leaders criticised the firing as an attempt by the Trump administration to manipulate data and warned of lasting damage to the economy. "The civil servants at BLS are not political actors. They are professionals committed to producing accurate, independent data, regardless of who is in power," said American Federation of Government Employees national president Everett Kelley. McEntarfer had worked in the federal government for more than two decades under multiple administrations, Kelley said. Trump-aligned Republicans were supportive of the BLS firing, calling McEntarfer a "Biden holdover". DATA CREDIBILITY NOW IN QUESTION "Politicising economic statistics is a self-defeating act," said Michael Madowitz, principal economist at the Roosevelt Institute's Roosevelt Forward. "Credibility is far easier to lose than rebuild, and the credibility of America's economic data is the foundation on which we've built the strongest economy in the world. Blinding the public about the state of the economy has a long track record, and it never ends well." Earlier this year, Commerce Secretary Howard Lutnick disbanded two expert committees that worked with the government to produce economic statistics. Lutnick has also floated the idea of stripping out government spending from the gross domestic product report, claiming "governments historically have messed with GDP". The BLS has already reduced the sample collection for consumer price data as well as the producer price report, citing resource constraints. The government surveys about 121,000 businesses and government agencies, representing approximately 631,000 individual worksites for the employment report. The response rate has declined from 80.3 per cent in October 2020 to about 67.1 per cent in July. "In my opinion, today's Jobs Numbers were RIGGED in order to make the Republicans, and ME, look bad," Trump wrote in another Truth Social post, without offering any evidence. Economists attributed the near-stall in job growth to Trump's trade and immigration policies. They said uncertainty about where Trump's tariff level would settle had made it difficult for businesses to plan long-term. More clarity has emerged as the White House has announced trade deals, but economists said the effective tariff rate was still the highest since the 1930s. Trump slapped dozens of trading partners with steep tariffs on Thursday, including a 35 per cent duty on many goods from Canada.
Business Times
8 hours ago
- Business Times
China state media asks Nvidia to prove H20 chips are secure
[HONG KONG] China state media is calling for Nvidia to prove that its H20 chip is secure, saying it cannot allow flawed chips into the country. China's top Internet watchdog summoned Nvidia representatives earlier this week to discuss what Chinese officials called significant security vulnerabilities in the H20. The Cyberspace Administration of China said that Nvidia would need to explain potential security risks and provide documents as needed, citing comments by US lawmakers about the need to install tracking capabilities on advanced chips being exported. 'As soon as 'backdoors' in chips are triggered, we can encounter a 'nightmare',' the People's Daily, a mouthpiece for the Chinese Communist Party, said in a commentary on Friday (Aug 1). 'We need to maintain the security of the cyberspace and we cannot allow 'infected' chips to be put to work.' More scrutiny of the artificial intelligence (AI) chip would throw a wrench China's already-contentious trade talks with the US. Santa Clara, California-based Nvidia had designed the H20 to comply with US export controls on its technology, and the company was hoping to start sales after the US granted a license. 'Cybersecurity is critically important to us,' Nvidia said on Thursday. 'Nvidia does not have 'backdoors' in our chips that would give anyone a remote way to access or control them.' US and Chinese officials met in Stockholm this week to discuss trade terms in talks that Chinese state media said that 'deepened mutual trust', though the two sides still have several disagreements over the potential new tariffs. The warning in People's Daily may signal that Chinese officials don't find H20s, which are less powerful than Nvidia's most high-end chips, to be worthy offerings. The Trump administration in April barred Nvidia from selling H20s to China in an escalation of the ongoing tech war between the world's two largest economies. Trump officials then pledged to lift those restrictions in July as part of a trade deal for China to allow more sales of rare-earth magnets needed to make a range of high-tech products. US Commerce Secretary Howard Lutnick had touted the resumption of sales of the H20 as a breakthrough that came from bilateral discussions in London, framing it as a concession to China. US Treasury Secretary Scott Bessent, meanwhile, said earlier this week that the magnet issue has been 'solved'. However, it is unclear whether Nvidia has received licenses to resume shipping those semiconductors. Nvidia boss Jensen Huang himself recently concluded a high-profile visit to Beijing, where he feted national Chinese champions such as DeepSeek and celebrated the country's rising prowess in AI. The billionaire had denied Nvidia installed backdoors in its product, saying that would not make business sense. BLOOMBERG
CNA
8 hours ago
- CNA
Richardson arrested for domestic violence in Seattle, report says
Reigning 100 metres world champion Sha'Carri Richardson was arrested for domestic violence at a Settle airport four days before the start of the US Track & Field Championships, USA TODAY Sports reported on Friday. The 25-year-old, who won Olympic silver in the 100 at the Paris Games, allegedly pushed her male companion who then fell into a nearby column after an argument, according to a police report obtained by USA TODAY Sports. The report said she was detained on the evening of July 27 and released the following day. Reuters has contacted Port of Seattle Police Department, Richardson's agent and US Track & Field for comment. Richardson withdrew from the 100 semi-finals in Eugene, Oregon on Friday after participating in Thursday's heats. She is guaranteed a spot in the 100 at the world championships in September due to her win at Budapest in 2023.
