After $380 Million Hack, Clorox Sues Its 'Service Desk' Vendor For Simply Giving Out Passwords

An anonymous reader quotes a report from Ars Technica: Hacking is hard. Well, sometimes. Other times, you just call up a company's IT service desk and pretend to be an employee who needs a password reset, an Okta multifactor authentication reset, and a Microsoft multifactor authentication reset... and it's done. Without even verifying your identity. So you use that information to log in to the target network and discover a more trusted user who works in IT security. You call the IT service desk back, acting like you are now this second person, and you request the same thing: a password reset, an Okta multifactor authentication reset, and a Microsoft multifactor authentication reset. Again, the desk provides it, no identity verification needed. So you log in to the network with these new credentials and set about planting ransomware or exfiltrating data in the target network, eventually doing an estimated $380 million in damage. Easy, right?

According to The Clorox Company, which makes everything from lip balm to cat litter to charcoal to bleach, this is exactly what happened to it in 2023. But Clorox says that the "debilitating" breach was not its fault. It had outsourced the "service desk" part of its IT security operations to the massive services company Cognizant -- and Clorox says that Cognizant failed to follow even the most basic agreed-upon procedures for running the service desk. In the words of a new Clorox lawsuit, Cognizant's behavior was "all a devastating lie," it "failed to show even scant care," and it was "aware that its employees were not adequately trained."

"Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques," says the lawsuit, using italics to indicate outrage emphasis. "The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox's network, and Cognizant handed the credentials right over. Cognizant is on tape handing over the keys to Clorox's corporate network to the cybercriminal -- no authentication questions asked." [...] The new lawsuit, filed in California state courts, wants Cognizant to cough up millions of dollars to cover the damage Clorox says it suffered after weeks of disruption to its factories and ordering systems. (You can read a brief timeline of the disruption here.)

don't outsource to the lowest bidder!

[Joe_Dragon]

don't outsource to the lowest bidder!

Everything always goes lowest bidder

[rsilvergun]

Because you will get bonuses and promotions for saving money and be well on your way and gone by the time the shit hits the fan.

We always focus on how things like stock BuyBacks create short-term incentives that destroy the economy.

But there's a hundred other ways that our current system creates incentives for short-term thinking.

Honestly overall I think that the people at the top come out ahead in all this. It's mostly us on the bottom or maybe one or two rungs up that have to deal with the fallout.

It's like any casino The House always wins. I mean I guess any casino that isn't owned by Donald Trump but you get the point.

Re: Everything always goes lowest bidder

[blue trane]

Who wants to bet Clorox is insured and suffered no actual losses?

Re:

[jhoegl]

Tell me you dont know how insurance works without telling me you dont know how insurance works.

Re: Everything always goes lowest bidder

[blue trane]

What Is Business Crime Insurance?
Business crime insurance, also known as commercial crime insurance, is a type of insurance policy that a business can buy to protect itself from losses from business-related crime. Protection through the policy can cover cash, assets, merchandise, or other property loss when someone perpetrates fraud, embezzlement, forgery, misrepresentation, robbery, theft, or any other type of business-related crime on the company.

Re:

[jrb1537]

Who wants to bet the insurance company cancelled the policy or refused to pay when they discovered the attack vector was a sub-contractor giving out the keys to the kingdom?

Re:

[gweihir]

Honestly overall I think that the people at the top come out ahead in all this. It's mostly us on the bottom or maybe one or two rungs up that have to deal with the fallout.

And in addition, the cretins at the top are typically not the reason the company did well some time in the past, but the ones at the bottom are what usually keeps enterprises going.

Re: Everything always goes lowest bidder

[argStyopa]

Except you're not on the bottom.
Not even close.
If you're in the US and middle class, you're VASTLY WEALTHY and fantastically well-off compared to the bulk of humanity today, or especially historically.

Re: Everything always goes lowest bidder

[AnOnyxMouseCoward]

Can we stop with this? You're right, the average American is vastly better off than the average person in Africa or Asia. But that's irrelevant to the people at the bottom of the pyramid in the US. You're part of your own society, and despite sharing a planet, the reality of folks across that planet is different.

Within the US, there are "better offs" and "worse offs", and the better offs are maximizing their profits at the expense of the others. The fact that those same better offs are treating the bottom of the pyramid in other countries even worse, and therefore that the US bottom is doing relatively better than the other bottoms, doesn't mean this situation is right.

We've built a society that doesn't care about its people, other than as a means of profit. Our decisions are short-term, to maximize such profits, and then our leaders that have benefited from this system will blame everyone but themselves when it leads to problems (e.g., blame the Chinese for stealing our manufacturing, not the CEOs and Board of Directors that have decided that low cost is better than giving jobs to Americans).

Also give it 10 years of more fascism

[rsilvergun]

And the average American won't be better off than the average African anymore.

Our ruling class looks at the insane amounts of wealth that other ruling classes have and says, hey I want that!

They are painfully aware that they are dependent on you to be consumers and buy their products and they don't like that. They are working hard to make sure they sever that dependency and with it your access to wealth and prosperity.

Like somebody said, AI exists so that wealth can access skill without skill ac

Re:don't outsource to the lowest bidder!

[jobslave]

don't outsource to any bidder, IT shouldn't be outsourced at all if you care about your security.

Re:

[Ol Olsoc]

don't outsource to any bidder, IT shouldn't be outsourced at all if you care about your security.

Your post needs to be at +5 informative or insightful.

Re:

[Anonymous Coward]

don't outsource to any bidder, IT shouldn't be outsourced at all if you care about your security.

Bullshit. Internal IT can be just as incompetent as Cognizant.

Re:don't outsource to the lowest bidder!

[HiThere]

I'm not sure a chemicals company shouldn't outsource it's IT, but I am sure that if it does it should have strong liability requirements in the contract. Theoretically a company that specializes in providing IT services should do a better job. But you need to be able to check that they *are* doing a better job, and demand various penalties if they aren't. (I'd say just switch, but that itself can be expensive and trouble prone.)

It's definitely better if you have in-house expertise of good quality. But would your management even recognize good quality IT?

Re: don't outsource to the lowest bidder!

[jobslave]

Then the management either needs training, education or replacement.

Re:

[AmiMoJo]

Can every random company develop a team of crack IT people to protect its networks though? That's the kind of thing that takes time to build up, and a lot of effort to maintain. Most managers wouldn't even know where to start.

Outsourcing can improve security for some businesses. Look at Gmail. Never been mass hacked, has great security features with strong 2FA and notifications to your other devices every time someone logs in. Malware detection is top notch. Most IT admins could not run a service that secur

Re:

[Khyber]

"Look at Gmail. Never been mass hacked"

Nah they just allow relay attacks, which is far worse.

Re:

[EvilSS]

But if my guys screw up, then I'm on the hook. If our outsource partner screws up, then I can point the finger at them and sue them.

Re:don't outsource to the lowest bidder!

[hamburger lady]

the second-lowest bidder would never make such a crass mistake

Re:

[wwphx]

"don't outsource to the lowest bidder!"

How about just don't outsource critical functions?

Clorox is more than large enough to keep their help desk organization in-house. They didn't need to out-source it, it was all a money grab. Reduce the head count because MBAs who have no respect for IT are running the company.

Maybe it's not technically your fault, Clorox

[nwaack]

But since you outsourced this work, I can't say I feel bad for you.

Re:

[mysidia]

The breach is Clorox's fault.

A company's service desk IS an internal IT/Security function. Just because you found a contractor to fill in for the work does not mean your company is no longer responsible for determining what your procedures are and making sure your contractors abide by them and enforce them.

There are also ways of conducting drills and verifying that your contractors' agents follow the rules and don't do dumb shit. If security rules are not in place for how to verify personnel for pass

Re:Maybe it's not technically your fault, Clorox

[taustin]

This isn't about who is at fault. It's about contractual obligations, and reasonable expectations to follow standard practices.

Clorox may well have been foolish, though there are millions of companies that outsource their IT. But Cognizant was (according to the suit) in violations of their contractual obligation to follow standard industry practices.

If your bank account were compromised because some scammer called the bank on the phone pretending to be you, and your bank made no effort to verify the caller, would that be your fault for having the account with them in the first place? Or would you squeal like a stuck pig over the loss from their irresponsible practices?

Re:

[taustin]

This isn't about who is at fault. It's about contractual obligations,

It can be both.

And one can be about 10,000 times more at fault than the other. (Note that juries assign percentage of blame to various parties pretty much always. I predict the percentage assigned to Cognizant in this case will be close to 100%.)

would that be your fault for having the account with them in the first place?

I don't agree with it, but the answer is yes. You are the victim of identity theft and the bank is not the victim of anything.

If the bank participated in the identity theft, they are not the victim, they are the perpetrator. You do know the difference, don't you? Don't you?

Re:

[unrtst]

This isn't about who is at fault.

/me rereads TFS. Um, yeah right! "Clorox sues it's service desk"

... It's about contractual obligations, and reasonable expectations to follow standard practices.

That's how the lawsuit is doing its thing, but the end users that were impacted don't need to care about that part. They are doing business with Clorox, and how Clorox (mis)handled their data is the problem. As the previous posted noted, Clorox could have been verifying that said procedures were being followed (that's due diligence).

If your bank account were compromised because some scammer called the bank on the phone pretending to be you, and your bank made no effort to verify the caller, would that be your fault for having the account with them in the first place? Or would you squeal like a stuck pig over the loss from their irresponsible practices?

You overlooked one of the parties involved. Was that on purpose? The above sounds like exactly what happened to

Re:

[Razed By TV]

His point is that two parties had an agreement, and party one had a reasonable expectation for basic security practices to be followed by party two.

He isn't invoking the end user. He is reframing the situation to include you or me as party one, and our bank as party two. While we do have some agency as to who we bank with and should vet accordingly (Wells Fargo, fintechs), we have a reasonable expectation for our party two to uphold their side of things.

Re:

[taustin]

Particularly regarding decades old industry standard practices that are industry standard practices because of this kind of criminal activity.

Re:Maybe it's not technically your fault, Clorox

[nosfucious]

When outsourcing IT (I can't talk about other business functions), it has often been that not only does the lowest bidder wins, but the C-Suite then wash their hands of IT and consider the job done.

And that's the kicker.

What comes back to hurt the company in the end is:
- IT often is the only record of business knowledge accross business functions (eg, the how and why things are done. Often, the company is in such a rush to demonstrate the unicorn-like savings that the IT are out before the new guys come in.
- New requirements cost money. No external provider is going to do something that costs money or takes more time for free. Suddenly C-suite farts into a bottle cost actual money, so don't get implemented. Sadly, new requirements like challenge-response identity verification (secret questions), get left of the table.
- Performance metrics, as measured externally (to the service provider) cost money, and rely on someone knowing (a) what to measure (b) how to measure it and (c) how that relates to the service provided. So, see all of above, mostly doesn't get done.

Sigh. IT Outsourcing is a great way to bring in skills in the short term. It can even take over specific functions. But you need to retain internal control with someone that knows what the service delivers. It is never going to serve a business well to outsource the whole function.

To summarise the summary: You need to pay the going rate for someone that cares and goes a good job, or you are going to have a lot of grief. Pay peanuts, get hacked.

Re:

[taustin]

This isn't about who is at fault.

/me rereads TFS. Um, yeah right! "Clorox sues it's service desk"

Which is what you do when one party to a contract doesn't live up to their obligations under said contract. That is, literally, the entire point. Contractual obligations.

... It's about contractual obligations, and reasonable expectations to follow standard practices.

That's how the lawsuit is doing its thing, but the end users that were impacted don't need to care about that part.

Clorox isn't suing the end users, they're suing the company they had a contract with that (according to the suit) they did not live up to.

They are doing business with Clorox, and how Clorox (mis)handled their data is the problem.

And they can sue Clorox if the choose to. But Clorox is suing the IT company that (according to the suit) didn't live up to their contractual obligations.

As the previous posted noted, Clorox could have been verifying that said procedures were being followed (that's due diligence).

And Cognizant could have followed well established

Re:

[unrtst]

As the previous posted noted, Clorox could have been verifying that said procedures were being followed (that's due diligence).

And Cognizant could have followed well established standard industry practices, but apparently, in your excuse for a mind, they are 100% completely blameless for not doing so.

GDIAF, jerk. No one said they were "100% completely blameless".

But they are, according to you, literally saints, completely blameless for their negligence, and should be literally worshipped for their piety. Or maybe they're paying you to spread bullshit that makes them look less negligent. Could go either way.

Damn, who pissed in your wheaties? Settle down, this is just slashdot.

Let's see where this started:

Maybe it's not technically your fault, Clorox But since you outsourced this work, I can't say I feel bad for you.

The breach is Clorox's fault. ...

[taustin] This isn't about who is at fault. It's about contractual obligations, and reasonable expectations to follow standard practices.

See? People were discussing who was at fault for the breach. They weren't talking about the law suit nor the contract. You went there. It's why I commented, "That's how the lawsuit is doing its thing, but the end users that were impacted don't need to care about that part."

I'll try to use small words this time: Clorox isn't suing the end users. If any end users are suing them, that is not part of this lawsuit. ...

Yawn! I just don't care about their contract tiff, and that's not what the t

Re:

[Ol Olsoc]

The breach is Clorox's fault.

A company's service desk IS an internal IT/Security function. Just because you found a contractor to fill in for the work does not mean your company is no longer responsible for determining what your procedures are and making sure your contractors abide by them and enforce them.

There are also ways of conducting drills and verifying that your contractors' agents follow the rules and don't do dumb shit. If security rules are not in place for how to verify personnel for password resets, and under what conditions resets can be completed, then Clorox would be responsible for not making certain that they are in place.

The problem is that this was likely due to one person being an idiot. The haste to blame Clorox sounds like you believe that if it was internal IT, it wouldn't have happened.

For almost everything, I agree with you. IT should be internal, and drills and pen testing should happen. But it is quite possible to hire a dipshit.

Why do Companies put their computers on the net?

[ndsurvivor]

Serious question. Seems to me that anything 'mission critical', should be on a separate private network. I can see how HR, and Sales need the internet, but production computers shouldn't even have USB ports.. in my humble opinion. Engineers should probably have two computers, one to look up stuff on the internet, and the other to generate software, procedures, and documentation.

Re:

[rsilvergun]

Because it lets people work remotely. Companies don't want you working from home because that devalues the CEOs commercial real estate investments. But they do want you to be able to log in on a moment's notice and put in an extra 10 hours from home in addition to the 50 that you put in at the office.

Yeah they could run at leased line to your house but that's stupidly expensive. Using the internet it's not even a fraction of the cost.

Re:

[ndsurvivor]

I didn't think of that angle. I think you are partly sarcastic, but there is truth to what you said. Still, in the grand scheme of things, buying 2 computers per employee seems cheaper than even properly securing 1 computer. "Mission Critical" computers that could only be updated locally by Engineers, and Production Managers, would put the scammers out of business, so it seems to me. I think it would also be a good idea to toss a clean linux, or windows image on each internet connected computers once a w

Re:Why do Companies put their computers on the net

[unrtst]

Don't need multiple computers nor a leased line. IME, the modern way uses a VM on the users machine, and it connects to the enterprise network over a VPN, and that traffic is then heavily restricted to only the sites the user is allowed to go to.

That said, GP post misses the mark. A separate computer wouldn't make a difference in this case. There is centralized authentication, and it is used to access services that are generally available on the net (ex. cloud services). Don't need to access a personal computer; Just their account and the directory.

Re: Why do Companies put their computers on the ne

[blue trane]

How are you supposed to copy code you found on the internet, type it out manually from one screen to the other?

Re:

[ndsurvivor]

Good point. Full disclosure, I do something like this at work. I have a Win 10 computer that is connected to the internet, and a Win 7 machine that I write software on. I have a router that connects the two, and when I need the internet, I "remote desktop" from the Win 7 machine to the Win 10 machine. Yes, I can copy and paste between the two. It seems to me that my Win 7 machine would be a more difficult "attack vector", as malware would have to go through the remote desktop. I could be wrong,

Re: Why do Companies put their computers on the n

[Ilove_Noname]

Just install and use synergy, will let you share the keyboard, mouse and clipboard across multiple devices using a network connection. As long as each pc has it's own display it makes using pc B from pc A so much easier.

Re:

[Tony Isaac]

Why do companies use computers at all?

These days, a computer is little more than a tool to access the internet. Without the internet, the computer is pretty useless.

Companies put their computers on the internet because they need to collaborate, both with each other, and with people outside the company. It's that simple.

This need to collaborate includes things that are "mission critical."

Re:

[ndsurvivor]

I remember days when everything is on paper, and in file cabinet. In fact, where I work now, we have probably 12 old file cabinets now that nobody ever uses. Back in the day, there was a system where everything was written down in file cabinets, and I am wondering why not do that today? Hospitals and Corporations could set up a system where a procedure, or contracts, or whatever, could be printed out and filed. It would be a complete mirror of what is on the computers. If the computers are hacked,

Re:

[Tony Isaac]

Go ahead, propose that idea at your company and see how far it goes.

Computers are used because they are far more reliable and efficient than humans writing things on paper. Companies used to have to hire people to do nothing more than filing documents in the proper place.

Also, your file cabinets full of paper, aren't immune from disaster. If your building floods or burns, they're gone forever.

Re:

[ndsurvivor]

That would just create work for me.... lol. My boss believes: "if it is not written down, then it is not done". He would be all in for a paper backup of everything. As for software, I also remember back in the 90's, we put floppy disks in a file cabinet. Now a USB disk or two would be all that is needed. I can imagine a computer system that would know what papers should be in the file cabinet, what is outdated and should be removed, all that would be needed is a few extra minutes to print out

Re:

[Tony Isaac]

Personally, I don't even like to run my own finances on paper. Literally all my records, from insurance to mortgage to land deeds to medical documents to tax returns--everything--if it was on paper, I scanned it and shredded it years ago. All my file cabinets are gone. Now, if I want to find something, I just search for it on the computer. I for one love being paperless.

Re:

[HiThere]

Floppies were the wrong answer, so is a usb stick. CDRoms (write once) or DVDs (write once) would be a good choice, though. The point is to not have the work be reviseable. Paper is pretty good for that, and so are CDRoms and DVDs.

Re:

[Khyber]

"My boss believes: "if it is not written down, then it is not done""

If you are an ISO 9001 certified establishment, that's literally the belief of the certification body.

Re:

[jacks smirking reven]

I am wondering why not do that today?

That kinda still exists in Japan

Fax machines and cash-only stores: Japan struggles to go digital [aljazeera.com]

Re:

[ndsurvivor]

I think that is a cool citation, and article. I am kind of an old person, and I do cash for almost everything. Off topic thoughts..... I recently heard a podcast where a lawyer makes his living off of suing people sending "FAX spam", yes that is a thing in America, mostly, I guess for pharmacies. I also find it kind of 'creepy' to use credit cards or payment systems, as I don't want that information spread around to companies, or the Government. They don't need to know where I buy cigars, or wha

Re:

[Ksevio]

There are digital versions of that which are easier to use and more reliable. All the data can be backed up to off-site storage at regular intervals and you can even store a drive or tape in a filing cabinet. If there's an issue, it's a matter of minutes or hours to restore a backup, not days or weeks with paper

Re:

[ndsurvivor]

Of course you are correct. One case that this does not fix is where a hacker steals "recipes" from a company. For example, I guess China does this with hacker farms. They steal "recipes", and reproduce them.

"I am shocked!-

[locater16]

-Shocked to find outsourcing to the cheapest vendor resulted in inadequate service!"
"Your bonus for goosing the stock price Sir."
"Oh yes thank you."

Replace them with AI

[Tomahawk]

Then it won't matter 'cos the supplied credentials will be hallucinated and wouldn't work anyway.

Dumb, and Dumber.

[geekmux]

I heard the Mayhem guy from Progressive isn’t even bothering with suing. He’s going straight to the mattresses. Only room for one master of chaos it seems. Good luck, Cognizant.

To be fair, I’m also going to assume the Clorox corporation HQ needs to be tested for excessive bleach fumes. I mean, fucking seriously. We’ve seen and heard a lot of outsourcing stories. This one shits all over the Top 10. How the FUCK does a Fortune-ranked corporation not grasp the concept of red team testing in the 21st Century? This should have been an internal report years ago.

Re:

[sconeu]

<irrelvant>Mayhem isn't Progressive. He's Allstate.</irrelvant>

Re:

[geekmux]

<irrelvant>Mayhem isn't Progressive. He's Allstate.</irrelvant>

Shit. You’re right. As if he wasn’t having a bad enough day. Apologies.

(In my defense he kind of welcomes this chaos, so I’d call myself more an inadvertent fan making this mistake. I’d have him sign my cast any day.)

Failure to evaluate and monitor ...

[gweihir]

... your outsourcer is _your_ fault. I do not know what US law says, but under EU law, the company keeps full legal responsibility, regardless of whether they outsourced something or not.

Re:

[HiThere]

I think it depends on context. IIUC...
If the hacking damaged someone who is a customer of Clorox, then it's Clorox's resonsibility. But it they've got a strong contract with someone else to do the work, they can try to collect those damages from the contracted company. And if it causes damage to Clorox's business, then then can try to collect damages from the contracted company.
Still, if one of Clorox's customers was injured, Clorox is the one they sue, not the contractor. Recovering the damages from th

One bright spot

[93 Escort Wagon]

If they need to clean up an infection, they've got plenty of bleach on hand.

Probably in the same building

[edi_guy]

One could imagine the building that houses the offshore Cognizant help desk team.

And then in the same building a few floors below is the organized-crime scammer/ransomware squad who are phoning them for the passwords...

Re:

[Todd Knarr]

A few floors below? Hells, the scammer/ransomware squad probably outsourced the calling to Cognizant. Saves time and phone lines.

Re:

[hamburger lady]

>> Ask yourself why Trump would bring up Epstein repeatedly in debate as an obvious negative to be weaponized against his political enemies if he himself were guilty.

i mean, he is a goddamn moron

Re:

[geekmux]

>> Ask yourself why Trump would bring up Epstein repeatedly in debate as an obvious negative to be weaponized against his political enemies if he himself were guilty.

i mean, he is a goddamn moron

Given the fact that Kamala could have confirmed that at any time to take her opponent down, I’d say this proves the best moron won.

Her sheer incompetence, is immeasurable. Truly.

Re:

[Froze]

It's called gaslighting and if you wear down the news cycle on any topic then you can get away with all kinds of crap.

Re:

[geekmux]

It's called gaslighting and if you wear down the news cycle on any topic then you can get away with all kinds of crap.

Now there’s one hell of a reminder as to how America ended up with President Trump.

Twice.

Spank you liberal media. For lying so hard and so long that voters became that desperate.

Yes, Clorox, you ARE at fault!

[shankarunni]

"But Clorox says that the "debilitating" breach was not its fault. It had outsourced the "service desk" part of its IT security operations to the massive services company Cognizant".

So yeah. Fire all of your experienced staff, and outsource it to some sweaty lowest-bid schlubs. That'll improve security!

Re:

[ndsurvivor]

I don't think that CEO's or MBA's really understand how things work. As an Engineer, my skills overlap quite a bit with IT people, and I have respect for them to handle CEO's, HR, and Sales people's computers, but I do not think most of them should handle production, nor Engineering computers.

Re:

[roc97007]

It's true, in most cases, upper management and bean counters do not understand how things work.

But as much as it may annoy us, both the engineering row and the executive row have a purpose. Without engineering, you'd have nothing to sell. (Witness companies that laid off their engineering staff as a cost savings measure, then went under when their queue emptied.) But without the executive row, you may have something to sell, but no way to sell it. Then the company gets bought and gutted. Or just closes

Re:

[roc97007]

Yeah, let's give some third party with no stake in the company all the passwords. That'll totally end well.

Yep, totally their fault

[roc97007]

...that the "debilitating" breach was not its fault. It had outsourced the "service desk" part of...

Dudes.... that's totally your fault.

Do you want good IT?

[RitchCraft]

Companies see no ROI when investing in their IT infrastructure (this includes well trained staff), instead handing over IT functions to the lowest outsource bidders. That is, until this kind of shit happens ... then the blame game begins. Look no further than the mirror Clorox. You're to blame.

No wonder

[oh-dark-thirty]

my Clorox stock is still in the toilet.

Cognizant...

[paul_engr]

They've been in the news a lot for sketchy visa fraud and generally shit business practices

Blame shifting

[eneville]

The buck stops at the top, as they say.

Don't outsource core business functions.

"Not our fault"

[DrXym]

Outsourcing the keys of the kingdom to some cowboy outfit certainly sounds like it's their fault to me.

Same old story

[froggyjojodaddy]

"It's not our fault we outsourced to the lowest bidder for a critical function of OUR company and didn't QA them on a regular basis!!1!!. You can't expect us to do all of that - we've got more important things to do as an executive leadership team. Things like travelling to golf courses and laying off people so we can get bigger bonuses!"

https://www.cognizant.com/us/e... [cognizant.com]

but it is

[argStyopa]

"Clorox says that the "debilitating" breach was not its fault. It had outsourced the "service desk" part of its IT security operations to the massive services company Cognizant"

So it very much IS your fault. Full stop.

You made the outsourcing decision, no? Has someone been fired for that choice? Maybe lost their bonus even?