The Human Perimeter
How a Simple Phone Call Cost Clorox $380 Million
Published 29 July 2025
1. The Breach That Didn’t Need a Hacker
In August 2023 a caller—linked to the Scattered Spider crew—rang Cognizant’s help‑desk, claimed to be a locked‑out Clorox employee, and was given fresh credentials on the spot. No malware. No zero‑day. Just an unverified request. Four months of disruption later, Clorox tallied USD 380 million in losses and is now suing Cognizant for gross negligence. (Reuters, Tom's Hardware, Cybersecurity Dive)
2. Why “The Human Perimeter” Matters
A firewall can’t stop an employee from believing a convincing voice on the phone.
The Clorox incident is a textbook reminder that security succeeds—or fails—at the human perimeter: the constellation of people, processes and culture that wrap around every security control.
Tech Control | Human Equivalent |
|---|---|
MFA policy | Help‑desk agent who enforces (or bypasses) it |
SIEM alert | Analyst who triages instead of ignores |
Data‑loss rule | Marketing lead who resists pressure to “just email the file” |
3. Anatomy of the Failure
Help‑Desk Verification Gap – Internal policy required multi‑factor identity checks; agents skipped them. (Specops Software)
Social Engineering Awareness – Attackers made multiple calls before landing the right agent, showing inconsistent staff training. (Hackread)
Governance & Culture – Audit logs suggest no second‑eye approval for password resets—indicative of process drift. (BleepingComputer)
Key takeaway: attackers exploited behaviour, not software.
4. Counting the Cost
Category | Reported Impact |
|---|---|
Direct remediation | USD 49 M (forensics, clean‑up) (Reuters) |
Business interruption | ~USD 330 M in lost shipments & shelf space (Medium) |
Ongoing litigation | USD 380 M claim vs. Cognizant + legal fees (Tom's Hardware) |
5. Your Quick Audit: Can You Say “Yes” to These?
Help Desk follows a scripted identity checklist—and managers spot‑check calls weekly.
Every employee completes social‑engineering drills at least quarterly.
Authority to override MFA is limited, logged and requires supervisor approval.
Table‑top exercises simulate live voice‑phishing, not just email phishing.
Reward culture: agents praised for stopping questionable requests, not for “fast ticket closure.”
6. Building a Human‑Centric Defense
Pillar | Practical Step |
|---|---|
Training | Run voice‑phishing red‑team calls and publish results internally. |
Governance | Embed dual‑control for privileged resets (NIST CSF PR.AC‑6). |
Culture | CEO‑level messages that security > speed. Reward “good friction.” |
Testing | Quarterly purple‑team to measure help‑desk social‑engineering resilience. |
7. Link to DORA & NIS2
EU regulations now formalise “people & process” risk:
DORA Article 11 demands ICT incident response & reporting that covers human error.
NIS2 Article 21 calls for basic cyber‑hygiene and training for “essential entities.”
Clorox’s lawsuit is a preview: regulators will treat human‑process failure as negligence. (Financial Times)
8. Conclusion
Scattered Spider didn’t need a zero‑day. They needed one untrained person.
Your people are your strongest firewall—or your fastest breach.
Which one are you training them to be?
Further Reading
Reuters – “Lawsuit says Clorox hackers got passwords simply by asking.” (Reuters)
Tom’s Hardware – “IT provider sued after it simply handed the credentials to hackers.” (Tom's Hardware)
Cybersecurity Dive – “Clorox files $380M suit blaming Cognizant for 2023 cyberattack.” (Cybersecurity Dive)
Specops Software – “How a simple service desk attack cost Clorox millions.” (Specops Software)
HackRead – “How Scattered Spider used fake calls to breach Clorox via Cognizant.” (Hackread)
ComputerWeekly – “Scattered Spider victim Clorox sues help‑desk provider.” (Computer Weekly)
Need to harden your human perimeter?
#HumanPerimeter #SocialEngineering #CyberSecurity #DORA #NIS2 #ScatteredSpider