How do hackers get passwords? Sometimes, they just ask.

Massive 2023 hack was easily preventable, Clorox says.

See full article...

 

[jpv128]

Man, I wish I had balls like Cognizant. It doesn't matter if they were hired for cybersecurity, and I don't believe that's even being contested. Clorox is blaming them for their complete foolishness in willingly handing over credentials without verifying they were being given to the legitimate user, despite their promises (likely in writing) that user verification was being performed. They lied, and their claim when their lies cost their client money is "well you should've been more secure anyway". You can have all the security in the world but if your helpdesk is giving everyone on the planet access to your network, what's the point? That backhanded PR response is just icing on the excrement cake that is this situation.

 

[SpikeTheHobbitMage]

Which was a choice that Clorox made. Which should have involved due diligence and regular audits.

Which means, ultimately, it was Clorox's responsibility.

As mentioned elsewhere, simply have test callers regularly validate that procedure was followed would have prevented it. Unless it was a really unlucky one-off.. but that would also mean Cognizant isn't as incompetent as the article implies.

There are lots of ways to cheat and spoofing test calls isn't that hard. Many years ago a major* call center operator was caught warning their agents when an auditing call was coming in. It took someone going undercover and hiring on as an employee to catch them.

*By 'major' I mean 'in the top three largest call center operators in the world.'

IMO it doesn't matter, but they need to manage the IT function properly regardless of who is providing it. Middle management get's mocked a lot, but monitoring, detecting, and correcting performance of operations is exactly what line management and/or vendor management is about.

Middle management != line management.

 

[Sziring]

Outsource what you want but follow up with security audits. inexcusable for a company of that size. Even the insurance underwriter should've picked that up.

 

[SpikeTheHobbitMage]

Why did they not have at least one supervisor from the company onsite 24/7? Maybe because that would invalidate any plausible deniability? Carry on Mr. CIO.

Because that center isn't just taking calls for your company, and your supervisor has no right to be there while those agents are handling other companies' calls, just as those companies aren't allowed to have their supervisors present for your calls.

 

[JanneM]

Agreed, I worked for a large Fortune 100 company who would waste large amounts of money to contractors and consultants under the guise of "we're letting them do what they do best." At best, offshore contractors are good for reducing on-call headaches from mundane tasks or changes that follow a standard playbook reducing pain points in off hours.

Many of the consultants hired to solve a problem just set up calls with the employees who already knew several issues and made the upline aware of it. They did have a nice Excel spreadsheet that I'm sure went into a Powerpoint somewhere though.

You could reasonably reframe this as the consultant helped the organization to uncover broken communication paths, discover new efficiencies and make use of latent potential within the organization.

And I mean that unironically. It really can be hard to see structural issues like that from within, while an outside set of eyes have the perspective and the access to spot it immediately.

 

[Deleted member 1085004]

You could reasonably reframe this as the consultant helped the organization to uncover broken communication paths, discover new efficiencies and make use of latent potential within the organization.

And I mean that unironically. It really can be hard to see structural issues like that from within, while an outside set of eyes have the perspective and the access to spot it immediately.

Except it wasn't aimed at solving structural issues, the Directors and AVPs on up could have just done their jobs and listen to the engineers and administrators, which was really the knowledge gap. The consultants came in with a spreadsheet, asked what products were used, and cross referenced with Gartner or some other garbage for a 'solution.'

Heavy vendor product spawl with dozens of contracts for overlapping issues and they couldn't figure it out because they only thought in terms of contracts and products instead of the foundations of how things work. Architects weren't subject matter experts, they were career-ers who worked off of tribal knowledge with vendors. Hard to achieve consolidation of security products, among other things, when few people cared to look at how underlying business systems worked.

It would have been one thing if they hired consultants to come in and document the ground level foundations of how things worked, but instead its just a perpetual game of trying to improve things with a thesaurus of corporate jargon bullshit generators, because they don't know how things work and didn't care to know.

 

[Hydrargyrum]

Why were the help desk people even able to see the passwords? Granted, I know little technically about this sort of thing but outsourcing that kind of access to literally, whoever, seems unwise.

Pushing a button that sends a reset email is one thing, seeing the password in the clear and relaying over the phone, wtf?

The passwords mentioned in the recordings looked like temporary passwords that the help desk staff had just set on the account, overriding the previous password of the user. Standard password reset methodology.

 

[Nilt]

The article should say " The employees were not adequately trained. in social engineering " which was what happened here.

I suppose you could call it that but there's virtually no engineering involved. If just calling and asking for a password reset counts, virtually everything would count.

 

[JuniorTempest]

Update: A PR agency representing Cognizant reached out to us after publication with the following statement: "It is shocking that a corporation the size of Clorox had such an inept internal cybersecurity system to mitigate this attack. Clorox has tried to blame us for these failures, but the reality is that Clorox hired Cognizant for a narrow scope of help desk services which Cognizant reasonably performed. Cognizant did not manage cybersecurity for Clorox."

Notice that the Cognizant's PR firm says that "Clorox hired Cognizant for a narrow scope of help desk services [..] Cognizant did not manage cybersecurity for Clorox".

Of course, this doesn't address or deny the core complaint. In the suit, Clorox did not say that Cognizant failed to perform cybersecurity management, rather that Cognizant failed to follow Clorox's mandatory cybersecurity protocols and procedures (not to mention the absolutely basic fundamentals) while providing help desk services. Protocols and procedures for which Clorox says it regularly sought assurance from Cognizant that it was following and that Cognizant regularly assured Clorox that it was compliant. If Clorox has the voice recordings as transcribed, Cognizant was clearly not compliant.

 

[ybz90]

If you made the decision to outsource the service desk to someone else instead of keeping it in-house in a way that accessed your shit, then it's still your fault for doing that.

It would be nice if cause and effect actually blew back in the faces of the executives making these decisions for once. Whoever made the decision is responsible for the outcome. That'd be Clorox executives. This shit is like blaming one's sibling for dropping and breaking the antique vase they handed them in the first place. They shoulda known better.

I'm going to have to disagree here. What you're describing as "outsourcing" isn't necessarily a bad thing -- if it's not your core competency, it's normal to contract out to CROs or consultants. That's just a B2B deal and arguably, the right move depending on your business. No different than using SaaS instead of developing your own platform or cloud infrastructure like AWS instead of on-prem for instance.

The "bad" outsourcing we think about is when jobs are shipped overseas to cut costs at the expense of quality. I don't think Clorox is guilty of that here. If anything, it seems Cognizant is the one who likely did the bad kind of outsourcing and allowed poorly trained agents to reset a client's password without any reasonable security checks.

Clorox didn't hand a fancy expensive vase to their kid brother. They handed it to what they thought was the adult butler with protective gloves, who happened to bungle it and drop it like a child.

 

[eldakka]

I have to agree here. Clorox may not have been set up to quickly and effectively set up an IT system as well as outsourcing could do it. It's certainly possible they didn't have the expertise to even know if they were doing it right. Assuming they knew how to write a contract with Cognizant, it was Cognizant who was supposed to be the expert here and they failed.
Companies outsource all the time in things they aren't experts with. There's nothing wrong with it if it's done right. For example, I don't know of many largish companies that handles their own pay checks - they hire out Paychex or whoever since they know how to do it. That said, sounds like Cognizant was the wrong company to outsource IT to.

While that is true, you should hire different firms to do the consulting on what your IT needs are and to help craft implementation/support contracts, and another firm to do the implementation and support, and yet a third firm to regularly audit your IT 'landscape' - are the original recommendations still valid? Is the implementing firm actually implementing the recommendations/contractual obligations?

I'ts pretty pointless hiring one firm to do the workup on what your IT needs are, policies, etc., and then using the same firm to implement all that. There's no sanity checking in this case.

If you use different (and un-related) firms to do the consulting on your needs vs the firm implementing those recommendations vs IT auditors, you have a built-in set of checks and balances against each of them.

This is, of course, excessive for a mom'n'pop-type setup, but once you are hitting 10's millions or more in revenue like, say, a Clorox-scale firm, to not do something like this is reckless.

 

[fisherjeff]

Update: A PR agency representing Cognizant reached out to us after publication with the following statement: "It is shocking that a corporation the size of Clorox had such an inept internal cybersecurity system to mitigate this attack. Clorox has tried to blame us for these failures, but the reality is that Clorox hired Cognizant for a narrow scope of help desk services which Cognizant reasonably performed. Cognizant did not manage cybersecurity for Clorox."

That’s exactly right, their internal cybersecurity system should have easily mitigated this attack of… um, logging in with valid credentials?

 

[otila]

Yeah the Microsoft Authenticator is shit, can't move the stored secrets to a new phone. I have to again ask the service desk to temporarily disable MFA at $WORK.

 

[graylshaped]

Generating revenues and cutting costs are both ways to increase profits! As Benjamin Franklin said once, "a penny saved is a penny earned".

As someone else also said: Penny wise and pound foolish.

 

[graylshaped]

Man, I wish I had balls like Cognizant. It doesn't matter if they were hired for cybersecurity, and I don't believe that's even being contested. Clorox is blaming them for their complete foolishness in willingly handing over credentials without verifying they were being given to the legitimate user, despite their promises (likely in writing) that user verification was being performed. They lied, and their claim when their lies cost their client money is "well you should've been more secure anyway". You can have all the security in the world but if your helpdesk is giving everyone on the planet access to your network, what's the point? That backhanded PR response is just icing on the excrement cake that is this situation.

I read that as the Otter defense: "You fucked up! You trusted us!"

 

[Woolfe]

Having worked at an outsourcer for a while in the naughties, this is both a problem on the Client and the Outsourcer side.

The Outsourcer has clearly not bothered with any security checks. Now I am going to give Clorax the benefit of the doubt and assume they had a least a modicum of rules around identifying a user. So the fact that not only a normal user, but a privileged user got past was ridiculous.

That being said Clorax should have been testing this. It takes all of 5 minutes to run through a couple of test calls to your outsourcer to make sure they are following protocols. Or to review job logs and see what they were doing.

But business don't do this. They don't think they have to. They think that the Outsourcer should be professional enough to not need it. Yeah nah. It all depends on what you pay. If you are paying bottom dollar like most corps are then you get what you pay for.

There is nothing inherently wrong with outsourcing, and sometimes it can be beneficial. But you have to manage it with good SLAs.

 

[Berserk]

Staff turnaround is the biggest issue with IT-consultancy firms I have seen over the years. This is especially true in India where the main way of raising your salary is by changing jobs so pepole do this at least once a year. For each new person the quality goes down.

The client company needs to be very involved and preferrably keep some capabilities in-house to coordinate the outsourced workers and not just hand over everything whole sale.

 

[dzid]

Staff turnaround is the biggest issue with IT-consultancy firms I have seen over the years. This is especially true in India where the main way of raising your salary is by changing jobs so pepole do this at least once a year. For each new person the quality goes down.

IME, many of the people on the IT-consultancy side that are most knowledgeable and/or involved in the transition of such systems and procedures also tend to be those with the ambition and ability to move up in their organization as quickly as possible.

The client company needs to be very involved and preferrably keep some capabilities in-house to coordinate the outsourced workers and not just hand over everything whole sale.

This would be the ideal situation, as there's always going to be a need for ongoing validation and spot checks as well as to facilitate any changes to workflows. The less ideal situation is hearing "glad that's off our hands" coming from the C-suite.

edit: spelling

 

[GCamomescro]

If you made the decision to outsource the service desk to someone else instead of keeping it in-house in a way that accessed your shit, then it's still your fault for doing that.

It would be nice if cause and effect actually blew back in the faces of the executives making these decisions for once. Whoever made the decision is responsible for the outcome. That'd be Clorox executives. This shit is like blaming one's sibling for dropping and breaking the antique vase they handed them in the first place. They shoulda known better.

OK, you're entitled to your opinion.
Next time you get injured, feel free to go to a hospital. When you have a broken arm, but they amputate both your legs, don't bother suing. Even though the hospital is responsible for training it's staff and ensuring you get the care you expected from them, it's your fault for not setting your arm yourself.

 

[gautier]

Many years ago as the IT security director of a large MNC, I was in charge of securing the Help Desk password reset procedure. Designing a fully secured procedure with users in 35 countries and multiple time zones is just impossible without delaying the reset and sometime affecting the business. The only way to identify if the request was legit was to ask another user, generally the designated security contact, at the same site to send the helpdesk the password change request. It was far to be perfect and created a lot of pushback from the business side. Today they are few technical solutions but the Help Desk password reset operation is still one of the weak point.

 

[eduardopozo56]

That works as long as you can get to your email on a PC without logging into the PC

If cant login into PC, not your email on mobile or somewhere else, do not know your password, and also need MFA reset, you will need to physically come to an office or have a manager physically come and approve this.

As simple as that. This is IT helpdesk 101.

 

[Derecho Imminent]

This is so simple. It's your bridge. If you outsource to a guy who makes the rivets, it's still your bridge. If he gets the rivets wrong, you're the one responsible for whether the bridge falls because it's your bridge. It doesn't matter what the fuck your contract looked like, it's still your bridge. So you better put systems in place to make sure he does it right.

This is not a bridge that hurt individual citizens when it failed. The only one that was hurt was Clorox itself. Your comment is like blaming the homeowner for a burglary because the front door locks they bought werent good enough.

edit: or like blaming the homeowner because the lock company started handing out keys.

 

[morlamweb]

Said CIO probably got a huge bonus for the cost savings and will have a golden parachute on the way out. And yes, it was absolutely the Clorox company that shot themselves in the foot to save a few short-term dollars.

Outsourcing an IT service desk to a third-party provider isn't inherently a problem. The problem is that Cognizant was stunningly bad at IT security, despite many explicit statements, in writing, to the customer that they were following all best practices in IT security. That, if I may borrow a phrase, is "The Real WTF (tm)".

I think the bias here against IT outsourcing comes from the fact that many commenters work in, or have worked in, service desk positions and see outsourcing as a job threat. Which it is, I suppose, and my own experience with outsourced IT is that the first line people are incompentent and are just an obstacle to get around to finally get to the knowledgeable folks, but I'm always care to not generalize from personal anecdotes.

 

[Ted August]

Why do I suspect that discovery will show that some Clorox exec went all Karen on Cognizant about how difficult it was to do password recovery properly, and Cognizant just started doing no-check resets?

This (to a degree).

Outsourced IT have SLA’s to meet. Often they are out of touch with reality due to cost measures from one of the parties. It’s possible that the full playbook of identity verification may have taken a longer period of time, which may have been causing SLA’s to not be met for level 1 support tickets.

If this was the case then help desk supervisors should have escalated this to management so account reset and verification had a different SLA in the contract. When I worked for outsourced IT, these types of discussions were held quarterly with the customer and were part of the contract terms.

It’s likely the bad actors tried this several times on dry runs before their attack. This also could have been tested and prevented by thorough third party penetration testing which includes social engineering attempts with their help desk.

Hopefully more details come out in discovery as the suit progresses.

 

[Emotion_ology]

Said CIO probably got a huge bonus for the cost savings and will have a golden parachute on the way out. And yes, it was absolutely the Clorox company that shot themselves in the foot to save a few short-term dollars.

Genuine question: how do folks actually end up estimating the savings in outsourcing? Is it as straightforward as “it will cost $20 a month to do it in house but my friend Jimmy says his company will do it for $15”? Or are there standardized things that also get taken into account like costs to migrate, to have a liaison for the subcontractor, likelihood that subcontractor’s prices will increase over time, changes to customer satisfaction, etc?

 

[GaidinBDJ]

Genuine question: how do folks actually end up estimating the savings in outsourcing? Is it as straightforward as “it will cost $20 a month to do it in house but my friend Jimmy says his company will do it for $15”? Or are there standardized things that also get taken into account like costs to migrate, to have a liaison for the subcontractor, likelihood that subcontractor’s prices will increase over time, changes to customer satisfaction, etc?

Well, right off the bat, specialization and scale are almost always universally cheaper. And things like rates and increases are usually negotiated pretty far in advance, meaning the pencil pushers have a reasonable estimate they can use to see how long it'll take to offset the costs of migration. Performance standards are usually baked right into the contract (sometimes even including bonuses/penalties) and, as Clorox is demonstrating, you also have the civil law system to recover losses.

 

[ClintonKeith]

Social engineering is the oldest form of hacking. Even with all the improvements in password safety, humans are always the weakest link.

 

[Hopefully Smarter]

According to The Clorox Company, which makes everything from lip balm to cat litter to charcoal to bleach

All from the same formula.

 

[ianstar]

Cognizant isn't just some random unqualified vendor though. They are one of the most successful IT service companies in the world, and by experience and industry success should be imminently qualified.

But no matter how great the vendor supposedly is, the company still needs to find ways to validate how well the service is being provided, test the security, etc. That said, the major blame still lands on Cognizant

Just because they make a lot of money doesn’t make them good. I have worked with Cognizant before, both directly on a project and as an end user when they ran the help desk. Both experiences were very bad.

 

[Stinkles]

Say what you want about outsourcing but the fact that Cognizant literally just gave them the passwords is like some next level incompetence. Hope the contract was cheap because you certainly got what you paid for.

 

[McKoogly]

I am sorry, but we need to pick a lane with this.

On articles about non-IT companies messing up their IT by trying to do it in house, they are mocked for trying to do something so obviously out of their skillset.

Then on articles like this where a non-IT company does contract out their IT, they are mocked for not trying to do it themselves.

So what is the recommended approach here? Should non-IT companies try to do it themselves, or should they contract out to experts?

And thinking of this from the other perspective, say an IT company needs to do something outside of their area of expertise, like building renovations. Do we expect them hire construction workers and attempt to do it in house, or contract out to a renovation company? If they do contract out and the renovation company fails to live up to their end of the contract, do we blame the IT company for not trying to do the renovations in house?

Small IT department at a small hospital. We do a lot. Two techs, two eMAR nurses, manager. The phone system we do, but if we have questions, we go to the people that put in the system. Networking, servers, switches handled by a vendor. We know what we can and cannot do. Or what we have time for. We go to our vendors for assistance, and not farmed out. We also care and know each end user. We have a contact with a security company to scan our network, test our users with emails and phone calls. They've tried and failed to get our information. It's some of our consultants that worry me.

 

[MjchX11R6]

Cognizants statement is pretty damning. They clearly should not be in the IT business, They do not understand what it takes to do the job.
They are clearly just handing out passwords like candy with no validation and trying to blame their client for their issue. I foresee them losing a lot of business....

 

[guavasec]

Can anyone who downvoted this explain why? Do you think outsourcing somehow makes it not Clorox’s fault??? All companies are responsible for their IT. Outsourcing doesn’t change that.

You're oversimplifying it. Clorox is responsible to their customers, and Cognizant is responsible to theirs. They both failed.

 

[MjchX11R6]

I am sorry, but we need to pick a lane with this.

On articles about non-IT companies messing up their IT by trying to do it in house, they are mocked for trying to do something so obviously out of their skillset.

Then on articles like this where a non-IT company does contract out their IT, they are mocked for not trying to do it themselves.

So what is the recommended approach here? Should non-IT companies try to do it themselves, or should they contract out to experts?

And thinking of this from the other perspective, say an IT company needs to do something outside of their area of expertise, like building renovations. Do we expect them hire construction workers and attempt to do it in house, or contract out to a renovation company? If they do contract out and the renovation company fails to live up to their end of the contract, do we blame the IT company for not trying to do the renovations in house?

You are misunderstanding the issue. No one is saying do it your self, they are saying do it in house. There is a big difference between a CEO trying to do IT work and a CEO hiring an IT department.......

 

[Derecho Imminent]

Say what you want about outsourcing but the fact that Cognizant literally just gave them the passwords is like some next level incompetence. Hope the contract was cheap because you certainly got what you paid for.

They are suing because they literally did not get what they paid for.

 

[Derecho Imminent]

You're oversimplifying it. Clorox is responsible to their customers, and Cognizant is responsible to theirs. They both failed.

I dont see that Clorox failed their customers though. Can you explain how you think that?

 

[Nemo Hic]

I dont see that Clorox failed their customers though. Can you explain how you think that?

Clorox failed their stockholders.

 

[nzeid]

A surprising number of posters are giving Clorox too much slack. Whatever position you have on the issue of retaining IT expertise, Clorox is ultimately on the hook. You can't just deflect your customers toward your third party vendors. Your customers didn't choose Cognizant.