In August 2023, Clorox fell victim to a major cyberattack orchestrated by the threat group known as Scattered Spider. The breach originated when Cognizant, the IT services provider handling Clorox’s help‑desk calls, provided employee passwords directly to the attackers without verifying the callers' identities. Clorox continues to claim there were no security questions asked and MFA tokens and passwords were reset upon request.
An attack through where mostly voice-related or telephonic communication is leveraged is known as vishing (voice phishing). This was the same attack style used to infiltrate MGM Resorts recently as well.
Once those stolen credentials were used, the malicious actors were able to breach Clorox’s systems. The attackers disrupted Clorox’s network, paralyzing manufacturing operations, forcing manual order processing, and inducing product shortages that resulted in quarterly sales to decreased by 28%. Legal fees and remediation expenses alone have reached about $49 million, with the total financial impact estimated at $380 million, so far.
What Went Wrong
According to Clorox, they had explicitly provided Cognizant with strict credential-reset protocols including verifying a manager’s name or sending confirmation emails. However, agents allegedly disregarded those procedures, falsely assuring Clorox that staff were trained and compliant. As the complaint bluntly states: “The cybercriminal just called … and Cognizant handed the credentials right over.”
Further, when the attack was realized, Cognizant’s emergency response was inadequate. Reports claim they delayed reinstalling security tools, provided incorrect managed IP addresses, and dispatched unfamiliar engineers over the course of hours. This failure forced Clorox to engage another firm to remediate the crisis.
In July 2025, Clorox filed a lawsuit against Cognizant for breach of contract, breach of good faith and fair dealing, gross negligence, and intentional misrepresentation. Cognizant has responded to the suit stating that it provided a limited scope of help desk services and that Clorox's own systems were vulnerable and that they were simply hired to provide support and not security-related services.
What Was The Impact
Clorox reports estimate at least $380 million, including remediation and lost sales as a a result of the attack. Manufacturing lines and order processing were severely impacted. As a result of the news, Clorox stock plummeted over 25%, resulting in millions in losses for its shareholders.
Putting Steps in Place to Mitigate a Vishing Attack
Clorox hired Cognizant as a third-party IT services provider. This is a practice growing in popularity in financial services, especially with tax professionals and accountants. Whether a firm is entirely in-house or using a third party, there are several key steps that should be taken to reduce the risk of a vishing attack.
Strict Identity Verification
Require complex voice-verification of specific identity-matching systems instead of just asking for somebody’s name. Confirm their identity with details.
Enforce multi-channel confirmation such as Multi-Factor Authentication for all of your systems without exception.
Comprehensive Training
Regularly train all staff on proper procedures and social engineering attack prevention, specifically account vishing, phishing, and smishing.
Conduct periodic audits or "mystery caller" tests to verify compliance.
Review Vendor Contracts Regularly
Regularly review, test, and perform due diligence on all security systems, especially those reliant upon third-parties.
Detail exact procedures for credential handling and incident response requirements in service-level agreements.
Include penalties for non-compliance and mandatory reporting of any breach attempts.
Include auditing and mystery caller support in all contracts.
Responsive Incident Management
Ensure service providers have documented, tested incident response plans.
Demand transparency on systems changes, outages, and management.
Clorox’s lawsuit against Cognizant highlights how both how important security compliance and data protection standards are within an organization. For those in financial services, we have a legal requirement through the FTC Safeguards Rule to monitor, assess, and perform due diligence on our partners both at the time of selection but also regularly ongoing.
Prevention isn’t just operational—it’s contractual and cultural.
If you do not fully understand an issues or if you need assistance working through a resolution, the team here at Financial Guardians is available for Individual Support Calls to assist with any individual or specific matters.
Financial Guardians is a proud member of InCite, the recently launched online community exclusively for tax professionals, bookkeepers, and accountants. InCite members receive a 30% discount.
Financial Guardians has partnered with the California Society of Tax Consultants to provide a 30% access discount as well as many other offers. More info can be found at www.cstcsociety.org
