Johnson Controls International has officially disclosed that a ransomware attack in September 2023 incurred significant financial losses amounting to $27 million and resulted in a severe data breach. This revelation highlights the growing threat of cyberattacks on major corporations.
Johnson Controls, a prominent multinational conglomerate known for its development and manufacturing of industrial control systems, security equipment, air conditioners, and fire safety equipment, faced this cyber assault after its Asia offices were initially compromised.
The attackers then infiltrated the broader network, leading to a substantial disruption.
First reported by BleepingComputer, the cyberattack compelled Johnson Controls to shut down extensive portions of its IT infrastructure, severely impacting customer-facing systems. This move was a direct response to the infiltration, aiming to contain the damage and prevent further spread.
The perpetrators, identified as the Dark Angels ransomware gang, claimed responsibility for the attack. This group, active since May 2022, leverages encryptors based on the leaked source code from the defunct Babuk and Ragnar Locker operations.
They asserted they had stolen over 27 terabytes of confidential data from Johnson Controls and demanded a staggering $51 million ransom for its deletion and the provision of a file decryptor.
In the immediate aftermath, Johnson Controls acknowledged the disruption, attributing it to a “cybersecurity incident” without specifying the nature of the attack or confirming a data breach. However, in a quarterly report filed with the U.S.
Securities and Exchange Commission (SEC) on July 19, 2024, the company confirmed the extent of the ransomware attack and the resulting data theft.
“The cybersecurity incident consisted of unauthorized access, data exfiltration, and deployment of ransomware by a third party to a portion of the Company’s internal IT infrastructure,” Johnson Controls stated in the SEC filing.
The firm detailed that the expenses associated with responding to and remediating the cyberattack amounted to $27 million.
“The impact on net income for the three months ended December 31, 2023, of lost and deferred revenues, net of revenues deferred at the end of fiscal 2023 and recognized in the first quarter of fiscal 2024, and expenses during the quarter was approximately $27 million,” the SEC filing reads. “These impacts were primarily attributable to expenses associated with the response to, and remediation of, the incident, and are net of insurance recoveries.”
The company anticipates these costs will continue to rise as it works with external cybersecurity forensics and remediation experts to fully assess the extent of the data theft and secure its systems.
Despite the attack, Johnson Controls assures stakeholders that the unauthorized activity has been fully contained and that its digital products and services, including OpenBlue and Metasys, are operational and secure.
This incident underscores the critical importance of robust cybersecurity measures in protecting sensitive data and maintaining operational integrity.
Johnson Controls’ experience serves as a cautionary tale for other corporations about the pervasive risks posed by cyber threats and the substantial financial and reputational damages they can inflict.
As the investigation continues, Johnson Controls remains focused on strengthening its cybersecurity defenses to prevent future incidents and restore confidence in its systems and services. The company’s prompt and transparent response to the attack reflects its commitment to safeguarding its assets and ensuring the security of its stakeholders.