When most people think of hacking, they probably think of some Matrix-like montage of all-black suits, otherworldy tech savvy, and an obligatory “I’m in” once everything goes as planned:
Lo and behold: movies and YouTube shorts may not be the most accurate reflections of reality. Turns out that all some multi-million dollar hacking schemes require is to just ask for the victim’s password. NBC News has coverage:
Bleach maker Clorox said Tuesday that it has sued information technology provider Cognizant over a devastating 2023 cyberattack, alleging that [Scattered Spider, a hacking group] pulled off the intrusion simply by asking the tech company’s staff for employees’ passwords.
…
“Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques,” according to a copy of the lawsuit reviewed by Reuters. “The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox’s network, and Cognizant handed the credentials right over.”
There’s something poetic about the idea that a tech company named Cognizant would not be aware of an imminent “hacking.” Cognizant’s alleged lack of awareness ultimately cost around $380M in damages. Everyone can admit that two-factor authentication is annoying, but come on people — you should at least have 1 factor!
The Record was able to get Cognizant’s take on the repeated security breaches. Cognizant’s spokesperson placed the blame on Clorox, saying that it was “shocking that a corporation the size of Clorox had such an inept internal cybersecurity system to mitigate this attack.”
Who is actually responsible will be for courts to figure out, but the story as it stands makes it look like everyone but Scattered Spider fell asleep at the wheel. Clorox’s “No, you” account of what happened is pretty damning:
“The Agent further reset Employee 1’s MFA credentials multiple times without any identity verification at all. And at no point did the Agent send the required emails to the employee or the employee’s manager to alert them of the password reset.”
Clorox reportedly gave Cognizant instructions to verify a caller’s identity before giving away passwords — something the suit claims Cognizant employees failed to do at least three times.
Keep your eyes peeled, the FBI has recently announced that Scattered Spider has pivoted attention toward airlines.
Considering Boeing already has trouble securing their airplane doors, I wouldn’t be too surprised if someone finds security issues with their tech.
Lawsuit Says Clorox Hackers Got Passwords Simply By Asking [NBC News]
Clorox Lawsuit Says Help-Desk Contractors Handed Over Passwords In 2023 Cyberattack [The Record]
Chris Williams became a social media manager and assistant editor for Above the Law in June 2021. Prior to joining the staff, he moonlighted as a minor Memelord™ in the Facebook group Law School Memes for Edgy T14s . He endured Missouri long enough to graduate from Washington University in St. Louis School of Law. He is a former boatbuilder who is learning to swim, is interested in critical race theory, philosophy, and humor, and has a love for cycling that occasionally annoys his peers. You can reach him by email at cwilliams@abovethelaw.com and by tweet at @WritesForRent.
The post Clorox’s Multi-Million Dollar Lawsuit Reveals Embarrassing Security Protocol appeared first on Above the Law.
When most people think of hacking, they probably think of some Matrix-like montage of all-black suits, otherworldy tech savvy, and an obligatory “I’m in” once everything goes as planned:
Lo and behold: movies and YouTube shorts may not be the most accurate reflections of reality. Turns out that all some multi-million dollar hacking schemes require is to just ask for the victim’s password. NBC News has coverage:
Bleach maker Clorox said Tuesday that it has sued information technology provider Cognizant over a devastating 2023 cyberattack, alleging that [Scattered Spider, a hacking group] pulled off the intrusion simply by asking the tech company’s staff for employees’ passwords.
…
“Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques,” according to a copy of the lawsuit reviewed by Reuters. “The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox’s network, and Cognizant handed the credentials right over.”
There’s something poetic about the idea that a tech company named Cognizant would not be aware of an imminent “hacking.” Cognizant’s alleged lack of awareness ultimately cost around $380M in damages. Everyone can admit that two-factor authentication is annoying, but come on people — you should at least have 1 factor!
The Record was able to get Cognizant’s take on the repeated security breaches. Cognizant’s spokesperson placed the blame on Clorox, saying that it was “shocking that a corporation the size of Clorox had such an inept internal cybersecurity system to mitigate this attack.”
Who is actually responsible will be for courts to figure out, but the story as it stands makes it look like everyone but Scattered Spider fell asleep at the wheel. Clorox’s “No, you” account of what happened is pretty damning:
“The Agent further reset Employee 1’s MFA credentials multiple times without any identity verification at all. And at no point did the Agent send the required emails to the employee or the employee’s manager to alert them of the password reset.”
Clorox reportedly gave Cognizant instructions to verify a caller’s identity before giving away passwords — something the suit claims Cognizant employees failed to do at least three times.
Keep your eyes peeled, the FBI has recently announced that Scattered Spider has pivoted attention toward airlines.
Considering Boeing already has trouble securing their airplane doors, I wouldn’t be too surprised if someone finds security issues with their tech.
Lawsuit Says Clorox Hackers Got Passwords Simply By Asking [NBC News]
Clorox Lawsuit Says Help-Desk Contractors Handed Over Passwords In 2023 Cyberattack [The Record]
Chris Williams became a social media manager and assistant editor for Above the Law in June 2021. Prior to joining the staff, he moonlighted as a minor Memelord™ in the Facebook group Law School Memes for Edgy T14s . He endured Missouri long enough to graduate from Washington University in St. Louis School of Law. He is a former boatbuilder who is learning to swim, is interested in critical race theory, philosophy, and humor, and has a love for cycling that occasionally annoys his peers. You can reach him by email at cwilliams@abovethelaw.com and by tweet at @WritesForRent.
The post Clorox’s Multi-Million Dollar Lawsuit Reveals Embarrassing Security Protocol appeared first on Above the Law.
