Johnson Controls International has confirmed that a September 2023 ransomware attack cost the company $27 million in expenses and led to a data breach after hackers stole corporate data.
Johnson Controls is a multinational conglomerate that develops and manufactures industrial control systems, security equipment, air conditioners, and fire safety equipment.
As first reported by BleepingComputer, Johnson Controls suffered a ransomware attack in September after the firm’s Asia offices were initially breached, and the attackers spread throughout their network. The attack forced the firm to shut down large portions of its IT infrastructure, which affected customer-facing systems.
The Dark Angels ransomware gang was behind the attack and claimed to have stolen over 27 TB of confidential data from Johnson Controls. The threat actors then demanded a $51 million ransom to delete the data and provide a file decryptor.
Dark Angels is a ransomware gang launched in May 2022 using encryptors based on the leaked source code of the now-defunct Babuk and Ragnar Locker operations.
The company acknowledged a service disruption and later attributed the cause to a “cybersecurity incident” but didn’t provide details on the type of the attack or the possibility of it having caused a data breach.
In a quarterly report filed with the U.S. Securities and Exchange Commission (SEC) yesterday, Johnson Controls confirmed that the cyberattack they suffered on September 23, 2023, was, in fact, a ransomware attack that resulted in the theft of data.
“The cybersecurity incident consisted of unauthorized access, data exfiltration, and deployment of ransomware by a third party to a portion of the Company’s internal IT infrastructure,” confirmed Johnson Controls.
Also, the firm says expenses associated with responding and remediating to the cyberattack amounted to $27,000,000.
“The impact on net income for the three months ended December 31, 2023, of lost and deferred revenues, net of revenues deferred at the end of fiscal 2023 and recognized in the first quarter of fiscal 2024, and expenses during the quarter was approximately $27 million,” reads the SEC filing
“These impacts were primarily attributable to expenses associated with the response to, and remediation of, the incident, and are net of insurance recoveries.”
Johnson Controls expects this cost to rise in the coming months as they continue to determine what data was stolen and work with external cybersecurity forensics and remediation experts.
Based on the information to date, Johnson Controls is confident that the unauthorized activity has been fully contained, and its digital products and services, including OpenBlue and Metasys, are all available.