Johnson Controls reports data breach after severe ransomware attack

On September 27, 2023, Johnson Controls International, a multinational manufacturing conglomerate experienced a devastating ransomware attack. The attack impacted the company's IT infrastructure, encrypting a substantial number of its devices, including critical VMware ESXi servers. This event had a far-reaching effect, causing disruptions not only to Johnson Controls but also to its subsidiaries, including York, Simplex, and Ruskin, all of which displayed technical outage messages on their website login pages and customer portals.

The origins of this cyber attack can be traced back to Johnson Controls' Asia offices, where the breach initially occurred. Subsequently, the attack spread across the company's network, encrypting key devices. The threat actors claimed to have stolen a massive 27 terabytes of corporate data, encrypted the company's VMware ESXi virtual machines, and are demanding a ransom of $51 million from the company.

Johnson Controls initiated an investigation, enlisting the assistance of leading external cybersecurity experts. The company also coordinated with its insurers to manage the incident and assess the extent of the impact. While the incident has indeed disrupted parts of the company's business operations, Johnson Controls is actively working on executing remediation measures to mitigate the effects and continue servicing its customers and releasing timely financial results.

Update - Security researchers are speculating that Johnson Controls was the victim of the Dark Angels Team extortion group.

Meanwhile, senior Department of Homeland Security officials are working to determine if a ransomware attack on government contractor Johnson Controls International has compromised sensitive physical security information such as DHS floor plans. Johnson Controls, a major manufacturer of alarm and building automation systems, “holds classified/sensitive contracts for DHS that depict the physical security of many DHS facilities,”.

As of 14th of November Johnson Controls has postponed its quarterly financial report due to the ransomware attack since it disrupted its financial reporting systems. Although the company has largely recovered its systems, it plans to release its fiscal year results by December 14. Johnson Controls believes the incident is contained and has not observed any impact on its digital products. The company is still assessing the full business and financial effects of the cybersecurity incident as it continues its investigation and remediation efforts.

As of 1st of July 2025, Johnson Controls International is notifying individuals whose personal data was compromised the cyberattack. The attack was apparently orchestrated by the Dark Angels ransomware group. Exposed data includes:

• Names
• Personal information provided by employees
• Personal information from contract workers
• Personal information collected during job application processes

At least 38,037 individuals in Texas have been affected but the total number of affected individuals across all jurisdictions has not been disclosed. Johnson Controls is reporting over $27 million in direct expenses related to incident response, forensic investigation, system remediation, and business disruption costs. 

The company has offered free identity protection services to impacted individuals as a precautionary measure, recognizing the potential long-term risks associated with the exposure of personal information in such a significant data breach.