Johnson Controls Ransomware Cleanup Costs Top $27M & Counting

JCI's latest SEC filing notes that its smart-factory installations weren't compromised, allaying physical security fears.

a factory's robot arm OT infrastructure being controlled digitally on a simulated screen
Source: Chroma Craft Media Group via Alamy Stock Photo

Johnson Controls International (JCI) spent $27 million remediating a September 2023 ransomware attack on its systems — an attack that government officials warned at the time could threaten physical security.

According to a filing with the US Securities & Exchange Commission (SEC) this week, the building automation, HVAC, and fire protection giant uncovered the attack the weekend of Sept. 23, after receiving reports of system outages. It was a ransomware hit that locked up internal IT infrastructure and allowed assailants to exfiltrate company data.

The filing didn't mention which gang JCI determined to be behind the cyberattack, but at the time researchers attributed it to Dark Angels using a custom VMware ESXi encryptor.

"The company implemented its incident management and response plan and business continuity plans, including implementing remediation measures to mitigate the impact of the incident and restore affected systems and functions," JCI noted in the SEC filing, adding that the $27 million price tag for the effort takes into account cyber insurance payouts, and includes the cost of retaining outside cybersecurity specialists.

The filing noted that the investigation and remediation efforts remain ongoing, "including the analysis of data accessed, exfiltrated or otherwise impacted during the cybersecurity incident," and expects to spend more on the recovery as a result.

Contrary to fears floated by the Department of Homeland Security after the attack, JCI also said that there is "no evidence of any impact to its digital products, services, and solutions including OpenBlue and Metasys," referring to its smart-building and AI-enabled lines of business, which are often deployed in industrial settings and bring operational technology (OT) together with IT systems.

About the Author

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights