Cognizant Sued for Failure to Secure Customer Data

Clorox recently sued Cognizant for gross negligence, claiming Cognizant negligently gave away passwords and reset authentication protocols without confirming the identity of individuals. Allegations from Clorox include the release of network passwords after simply asking for the password. Cognizant serves as the IT service provider for Clorox.

Clorox brings four causes of action against Cognizant: breach of contract, breach of the covenant of good faith and fair dealing, gross negligence, and intentional misrepresentation.

The lawsuit states “Cognizant was not duped by an elaborate ploy or sophisticated hacking techniques. The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox’s network, and Cognizant handed the credentials right over.” (Clorox Complaint, ¶ 5) (emphasis in original).)

One example included in the complaint is the following transcription showing the release of a password without any authentication:

Cybercriminal: “I don’t have a password, so I can’t connect.”

Cognizant: “Oh, ok. Ok. So let me provide the password to you ok?”

Cybercriminal: “Alright. Yep. Yeah. What’s the password?”

Cognizant: “Just a minute. So it starts with the word ‘Welcome…’”

Another example included shows the resetting of multi-factor authentication, without any verification of the identity of the caller:

Cybercriminal: “My Microsoft MFA isn’t working.”

Cognizant: “Oh, ok…”

Cybercriminal: “Can you rest my MFA? It’s on my old phone…[inaudible] old phone”

Cognizant: [Following a brief hold] “So thanks for being on hold, Alex. So multi-factor authentication reset has been done now. Ok. So can you check if you’re able to login…”

Cybercriminal: “Alright. It let me sign in now. Thank you.”

Clorox states the cybercriminal used these credentials to attack Clorox. Clorox states the cybercriminals obtained reset for passwords, multi-factor authentication processes, and phone number resets for SMS authentication processes. Importantly, according to Clorox, all of this was obtained without any employee verification.

As a result of this attack, Clorox states its corporate network was paralyzed and its business operations were crippled. Clorox also alleges that Cognizant failed in its response to the issues, compounding the issues and making the damage worse.

Clorox is seeking damages of $380 million, as well as punitive damages. This complaint serves as another reminder of the importance of cybersecurity and the importance of having adequate security checkpoints prior to releasing sensitive information.