Johnson Controls Cyberattack Cost the Company $27M
Johnson Controls International, a leading multinational conglomerate, has reported a staggering $27 million in expenses tied to the remediation of a ransomware attack that occurred in September 2023.
The attack, which was first reported by BleepingComputer, was orchestrated by the Dark Angels ransomware gang, a group known for using encryptors based on the leaked source code of the now-defunct Babuk and Ragnar Locker operations. The gang claimed to have stolen over 27 TB of confidential data from Johnson Controls and demanded a $51 million ransom for the deletion of the data and provision of a file decryptor.
The attack, which originated in the firm's Asia offices, led to a significant shutdown of Johnson Controls' IT infrastructure, impacting customer-facing systems. The company's quarterly report filed with the US Securities and Exchange Commission (SEC) detailed the incident as "unauthorized access, data exfiltration, and deployment of ransomware by a third party to a portion of the Company's internal IT infrastructure."
The report further stated that “the impact on net income for the three months ended December 31, 2023 of lost and deferred revenues, net of revenues deferred at the end of fiscal 2023 and recognized in the first quarter of fiscal 2024, and expenses during the quarter was approximately $27 million”.
Johnson Controls, known for its industrial control systems, security equipment, air conditioners, and fire safety equipment, has assured that there is no evidence of any impact on its digital products, services, and solutions, including OpenBlue and Metasys. All unauthorized activity appears to have been contained.
Dark Reading highlighted the company's efforts in implementing its incident management and response plan and business continuity plans, which included retaining outside cybersecurity specialists.
As the investigation and remediation efforts continue, with an ongoing analysis of data accessed or exfiltrated during the cybersecurity incident, Johnson Controls anticipates additional expenditures in the recovery process.