Why is the Clorox Lawsuit Against Cognizant a Wake-Up Call for Third-Party Cyber Risk?

The 2023 Breach and the 2025 Lawsuit

Manufacturer The Clorox Company (Clorox) recently filed a USD 380 million lawsuit against Cognizant, its IT services provider, in the wake of the 2023 cyberattack that caused major disruptions to its operations. A cybercriminal, affiliated with the prolific threat group Scattered Spider, called Cognizant’s service desk and impersonated Clorox employees. Without verifying the caller’s identity, staff reset login credentials. These credentials granted the attacker access to Clorox’s Okta identity systems, VPN and other internal infrastructure.

The complaint issued by Clorox in July 2025 includes recorded call transcripts showing Cognizant agents providing passwords and resetting multi-factor authentication (MFA) systems without adequate checks. Clorox claims Cognizant also mishandled its incident response and disaster recovery, worsening the disruption. In response, Cognizant said: “Clorox has tried to blame us for these failures, but the reality is that Clorox hired Cognizant for a narrow scope of help desk services which Cognizant reasonably performed.” 

This case is a stark reminder of the importance of contract due diligence and ongoing verification and monitoring of supplier adherence to contractual obligations. Here, we discuss what went wrong and what businesses can do to avoid suffering a similar fate to Clorox and Cognizant.

What Went Wrong for Clorox and Cognizant?

• Insufficient segmentation and monitoring of third-party access.
• A lack of zero-trust principles between vendor and client environments (zero-trust being a security model based on maintaining strict access controls and not trusting anyone by default).
• Weak cyber incident response and recovery planning, and business continuity planning evidenced by prolonged disruption.
• Whilst contractual provisions were seemingly made, it is likely they were not audited or stress-tested to ensure robustness, compliance, and/ or adequacy.  

Why is Contract Due Diligence and Monitoring Important?

As evidenced here, contract due diligence is essential because it ensures that all parties fully understand their obligations, risks and expectations before entering into a formal agreement. By carefully reviewing the terms, verifying capabilities and assessing potential liabilities, organizations can prevent costly misunderstandings and legal disputes. In high-stakes partnerships, contract due diligence acts as a safeguard against operational disruptions, reputational damage and financial loss by confirming that vendors or partners are both competent and contractually accountable.

However, resilience requires the further step of continuous monitoring and regular assessments to ensure the supplier is not only adhering to obligations, but that those obligations are sufficient. 

Why are Supply Chain Attacks a Growing Threat?

Recent studies indicate a third of cyber incidents are now rooted in third-party exposures. The breach didn’t start inside Clorox. It came through Cognizant. The complexity of modern, global supply chains, makes it increasingly easy for cyber threats to infiltrate through indirect channels. Cybercriminals are shifting focus from direct attacks on businesses to exploiting the vulnerabilities in their suppliers and many businesses are dangerously unprepared. This has been evidenced in recent months by the Scattered Spider-linked attacks on Marks and Spencer, Co-Op and Harrods. 

The Clorox/Cognizant case demonstrates what happens when digital trust is assumed, not earned or continuously validated. Clorox spent over USD 49 million on remediation and suffered hundreds of millions more in lost revenue and disrupted shipments. It is time for organizations to take supply chain risk seriously. 

It is imperative for organizations to recognize that shared responsibility doesn’t mean equal security. Even when risk is outsourced, it is still the responsibility of the outsourcing organization. There needs to be a mindset shift in organizations that think cyber risk is an IT problem – a cost not an investment. Regulations like NIS2 and DORA emphasize the necessity in securing and monitoring supply chains, with recognition that digital risks are a Board-level concern now being integral. 

What Should Organizations be Doing Differently?

• Conduct due diligence not only prior to onboarding, but at regular intervals throughout the engagement, e.g. do they still have ISO 27001 two years after declaring it and is it still applicable to the right environments?
• Ensure contract obligations include rights to audit, specific cybersecurity controls, SLAs and breach notification timelines. Require cyber insurance, and the right to terminate for major lapses. Ensure these obligations are passed on to third, fourth, and nth suppliers.
• Tier your suppliers not just by spend, but by their cyber impact on your operations and their access to your networks and data.
• Continuously monitor and reassess third-party access and segmentation.
• Mandate cyber requirements contractually: Endpoint Detection and Response, MFA, backups, breach notifications, etc.
• Run tabletop exercises with key vendors, simulate attacks and test the response.
• Implement joint response plans, access controls and regular audits to ensure resilience strategies are fit-for-purpose.
• Collaborate with third-parties, increase communication and provide a unified response for increased strength.
• Elevate supply chain cyber risk to the boardroom. It’s not just an IT concern anymore, it needs C-suite buy-in, as backed by recent regulations such as NIS2 and DORA.

Photo by Clay Banks on Unsplash.