A lawsuit is claiming that Clorox was hacked after a vendor just gave out passwords to whoever happened to call them.
Have you seen one of those bad pharmaceutical commercials where the actors and actresses look at the camera and say “I just asked”? Congratulations! You now have most of the know-how you need to break into a fortune 500 company and steal hundreds of millions of dollars worth of data – at least at one point anyway.
Court documents are apparently alleging that Clorox outsourced their IT infrastructure to a third party and that third party reset and handed out passwords to anyone who asked – no authentication required. If that sounds too ridiculous to be true, well, just look at Arstechnica:
So you use that information to log in to the target network and discover a more trusted user who works in IT security. You call the IT service desk back, acting like you are now this second person, and you request the same thing: a password reset, an Okta multifactor authentication reset, and a Microsoft multifactor authentication reset. Again, the desk provides it, no identity verification needed.
So you log in to the network with these new credentials and set about planting ransomware or exfiltrating data in the target network, eventually doing an estimated $380 million in damage. Easy, right?
According to The Clorox Company, which makes everything from lip balm to cat litter to charcoal to bleach, this is exactly what happened to it in 2023. But Clorox says that the “debilitating” breach was not its fault. It had outsourced the “service desk” part of its IT security operations to the massive services company Cognizant—and Clorox says that Cognizant failed to follow even the most basic agreed-upon procedures for running the service desk.
In the words of a new Clorox lawsuit, Cognizant’s behavior was “all a devastating lie,” it “failed to show even scant care,” and it was “aware that its employees were not adequately trained.”
“Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques,” says the lawsuit, using italics to indicate outrage emphasis. “The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox’s network, and Cognizant handed the credentials right over. Cognizant is on tape handing over the keys to Clorox’s corporate network to the cybercriminal—no authentication questions asked.”
The transcripts were also posted and they are as stunning as the descriptions:
After adopting the ID of a second Clorox user in IT security and calling back later that same day, the hacker tried all the same tricks again. And they worked, even across multiple Cognizant agents.
Cognizant Agent: How can I help you today?
Cybercriminal: Um my password on Okta was not working …
Cognizant Agent: I’m going to have your password reset from my end right away. Ok. And we’ll see how it’s going to work. Ok. [Following a brief hold] Thank you … I’m extremely sorry for the long hold. So … password is going to be Clorox@123.
Cybercriminal: What’s that?
Cognizant Agent: Yeah it was Clorox@123…Ok.
Cybercriminal: Yep.
Cognizant Agent: Want me to wait over the phone while you are trying it?
Cybercriminal: Yes, yes, please.
Cognizant Agent: Sure … sure.
Apparently, Cognizant contacted Arstechnica after the story published and said that Clorox is the company that is lying. They said that they had nothing to do with how the company got hacked:
A PR agency representing Cognizant reached out to us after publication with the following statement: “It is shocking that a corporation the size of Clorox had such an inept internal cybersecurity system to mitigate this attack. Clorox has tried to blame us for these failures, but the reality is that Clorox hired Cognizant for a narrow scope of help desk services which Cognizant reasonably performed. Cognizant did not manage cybersecurity for Clorox.”
So, they tried to deflect blame on top of it all, meaning that is going to be one fun court case.
For context, what is described here is a vishing attack. I know this because I remember seeing a Defcon video in the 2010s showcasing this very technique when a journalist asked a social engineer to test their skills by breaking into a journalists cellphone provider – with terrifying efficiency:
Just think, security protocols for IT help desks, in at least one instance, hasn’t improved at all since that video was made.
All of this is why just leaving security to the free market is such a bad idea. In the open market, security is merely seen as an expense, not something that is important. What some companies will do is do what they can to find the cheapest solution possible to handle the security of people’s personal information or even their own infrastructure. In some instances, the company might even go without entirely just to save a few bucks. That is why when I see stories like this, yeah, it’s embarrassing for the company, but it’s also not entirely surprising either.
At the risk of sounding like a broken record, it is also why I’m an advocate for broad federal level privacy reform. The free market has completely and utterly failed at protecting people’s personal information. If anything, we are seeing moves towards treating people’s personal information as a financial opportunity in terms of what can be sold to third parties to make a fast buck. What happens to that personal information? Well, the company could care less. They made their money on it, that’s all that matters to them. With privacy reform, you can implement a standard of what is required to protect sensitive personal information with the possibility of fines for failure to follow those guidelines.
Without a doubt, the Clorox hack was bad. That’s not just with the amount of damage that was done, but also the low bar needed to carry out that attack. A general bit of wisdom about security is that security is only as strong as the weakest link. Often, that weakest link tends to be the human component. This case was a clear demonstration of that.
Drew Wilson on Mastodon, Twitter and Facebook.
Discover more from Freezenet.ca
Subscribe to get the latest posts sent to your email.
