Tech

After $380M hack, Clorox sues its “service desk” vendor for simply giving out passwords

WDC NEWS 6 STAFF Send an email 1 day ago
5 1 minute read
After 0M hack, Clorox sues its “service desk” vendor for simply giving out passwords

Hacking is hard. Well, sometimes.

Other times, you just call up a company’s IT service desk and pretend to be an employee who needs a password reset, an Okta multifactor authentication reset, and a Microsoft multifactor authentication reset… and it’s done. Without even verifying your identity.

So you use that information to log in to the target network and discover a more trusted user who works in IT security. You call the IT service desk back, acting like you are now this second person, and you request the same thing: a password reset, an Okta multifactor authentication reset, and a Microsoft multifactor authentication reset. Again, the desk provides it, no identity verification needed.

So you log in to the network with these new credentials and set about planting ransomware or exfiltrating data in the target network, eventually doing an estimated $380 million in damage. Easy, right?

According to The Clorox Company, which makes everything from lip balm to cat litter to charcoal to bleach, this is exactly what happened to it in 2023. But Clorox says that the “debilitating” breach was not its fault. It had outsourced the “service desk” part of its IT security operations to the massive services company Cognizant—and Clorox says that Cognizant failed to follow even the most basic agreed-upon procedures for running the service desk.

In the words of a new Clorox lawsuit, Cognizant’s behavior was “all a devastating lie,” it “failed to show even scant care,” and it was “aware that its employees were not adequately trained.”

“Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques,” says the lawsuit, using italics to indicate outrage emphasis. “The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox’s network, and Cognizant handed the credentials right over. Cognizant is on tape handing over the keys to Clorox’s corporate network to the cybercriminal—no authentication questions asked.”

I can has password reset?

From 2013 through 2023, Cognizant had helped “guard the proverbial front door” to Clorox’s network by running a “service desk” that handled common access requests around passwords, VPNs, and multifactor authentication (MFA) such as SMS codes.


Source link

Tags
WDC NEWS 6 STAFF Send an email 1 day ago
5 1 minute read

WDC NEWS 6 STAFF

Related Articles

Don’t Let Summer’s High Interest Rates Pass You By. Do This ASAP

Don’t Let Summer’s High Interest Rates Pass You By. Do This ASAP

2 hours ago
Hackers—hope to defect to Russia? Don’t Google “defecting to Russia.”

Hackers—hope to defect to Russia? Don’t Google “defecting to Russia.”

3 hours ago
new windowing system is great and other enhancements like smarter Shortcuts and Files app make the iPad better for professional use (Jason Snell/Six Colors)

new windowing system is great and other enhancements like smarter Shortcuts and Files app make the iPad better for professional use (Jason Snell/Six Colors)

3 hours ago
A long-awaited multi-tasking update pays off (so far)

A long-awaited multi-tasking update pays off (so far)

5 hours ago
Back to top button