Popular bleach brand Clorox filed a case against Cognizant, its IT provider, after the company discovered that the latter had simply given away access credentials to hackers posing as employees. According to an NBC News Report, this breach allowed Scattered Spider, a hacking group that targets company service desks, to infect Clorox with ransomware in August 2023. This IT support gaffe allegedly resulted in around $380 million worth of damage and disruption for Clorox.
Cognizant manages Clorox’s internal networks, and employees who have issues with their passwords, multi-factor authentication (MFA) codes, and VPNs must coordinate with the IT provider to regain access to their system. However, Clorox alleges that the Cognizant Service Desk gave access passwords without verifying the identity of the caller. Such action would contradict the policies that have been set in place to prevent unauthorized personnel from gaining access, which Ars Technica says include an internal verification and self-reset password tool. In case the user does not have access to this, Cognizant must check their identity by asking for their manager’s name and their username. This would reset their password, but it will also email the employee and their supervisor to help ensure some level of security.
Low-effort social engineering win for the cyber criminals
Unfortunately, this did not happen in several instances. Instead, Cognizant staff simply handed over the passwords without confirming the identity of the caller, it is claimed. One partial call transcript provides evidence of this, with the alleged hacker telling the Cognizant employee, “I don’t have a password, so I can’t connect.” They then replied without hesitation, “Oh, ok. Ok. So, let me provide the password to you, okay?”
Assuming the identity of authorized personnel is one of the most basic social engineering attacks, which is why many IT companies deploy several measures against it. However, it seems that Cognizant’s employees were too trusting and violated protocol, potentially leading to millions of dollars in losses for Clorox. This goes to show that no matter how robust and sophisticated your cybersecurity is, it can always be breached at its weakest point.
“Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques,” the lawsuit asserts. “The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox’s network, and Cognizant handed the credentials right over.”
Follow Tom’s Hardware on Google News to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button.
