In a lawsuit filed this week in California state court, Clorox alleges that IT provider Cognizant Technology Solutions enabled one of the most damaging cybersecurity breaches in the company’s history, due to a lack of secure processes in routine support interactions rather than any underlying technical failure.
The breach, carried out in August 2023 by the group Scattered Spider, led to an estimated $380 million in damages. According to the lawsuit, hackers gained access by calling Cognizant's help desk and requesting employee credentials, rather than exploiting malware or complex code. The support agents, Clorox claims, complied without verifying the caller's identity. One quoted exchange included the impersonator saying, “I don’t have a password, so I can’t connect,” to which the agent responded, “Let me provide the password to you.”
Cognizant disputes the claims, stating it was retained for a narrow scope of help desk services and not responsible for cybersecurity oversight. But the distinction between responsibility and liability, while critical in court, does little to address the operational reality: support interactions are now a vector for attack. When identity verification is absent, any entry point can be compromised.
While that may sound frightening, organizations can avoid it completely by simply enforcing identity verification through controlled systems that limit who can initiate sensitive actions and how those requests are processed. Our service, Traceless, confines support interactions, such as credential resets or access changes, to authenticated, time-bound workflows that link directly to verified user identities. It quietly protects help desk flows from voice spoofing and attacks like Scattered Spider by using Traceless directly inside tools like ServiceNow, Slack, Teams, or whatever your help desk is using, so your teams stay protected without slowing down support.
Outsourced Trust Without Technical Guardrails
The Clorox breach is part of a broader pattern. In the same year, MGM Resorts suffered a similar incident. In both cases, attackers gained initial access not through code, but through conversation. This shift, from system exploitation to trust exploitation, has altered the risk landscape for organizations relying on managed service providers (MSPs), enterprise IT firms, and third-party support teams.
These vendors often hold critical roles: resetting credentials, provisioning access, and resolving urgent technical issues. Yet many still operate without hardened identity workflows. Verification is often informal, performed over phone or email, based on gut feeling or internal knowledge checks. The consequences, as Clorox illustrates, are no longer theoretical. $50 million in remediation costs followed the breach. The remaining $330 million in damages resulted from halted manufacturing, missed shipments, and reputational fallout.
This was not a case of individual error. The process itself lacked the necessary safeguards. Access was granted as intended, but without a system in place to enforce identity verification. In the absence of a mandatory, auditable control layer, support staff are left to make high-stakes decisions without the structural protections required to prevent impersonation.
What This Means for the Future of Support Operations
Clorox's legal claim will play out over time. But for IT providers and MSPs, the lesson is immediate. If your team can issue credentials based on a phone call, you are structurally exposed. The threshold for attacker success is not high sophistication, but basic persistence.
The distinction between "help desk" and "cybersecurity" becomes academic once credentials are issued.
It is also worth acknowledging that this is not a case of novel exploitation. As one security expert noted in the Reuters report, the attackers “just tried what typically works.” The fact that it did work points not to the sophistication of Scattered Spider, but to a lingering failure across the industry to modernize identity protocols.
Any vendor with privileged access, regardless of the scope defined in a contract, operates within the client’s risk perimeter. The distinction between "help desk" and "cybersecurity" becomes academic once credentials are issued. Secure support means verified users, authenticated requests, and clearly bounded workflows. Without this, trust becomes informal. And informal trust, at scale, becomes a systemic vulnerability.
Support is no longer a backend function. It is a frontline decision point. And it must be treated with the same scrutiny, discipline, and architectural foresight that we apply to any other component of enterprise security.
If a system like Traceless had been in place, the request would never have advanced. The support agent would have required the caller to submit a Trace through a secure interface. This Trace would have acted as a one-time, cryptographically bound prompt tied to the user’s verified identity. Without it, the request would not be accepted, and the session would end. No credentials issued. No access granted. No breach. The process removes ambiguity and limits discretion, not through policy reminders or staff vigilance, but through design.
Want to see how Traceless can prevent your company from experiencing the same fates as Cognizant and Clorox? Book a demo HERE and let us show you how easy it truly is!