Building technology giant Johnson Controls confirmed this week that the September 2023 ransomware attack resulted in the theft of data and the company said expenses associated with the incident exceed $27 million.
In an SEC filing detailing its financial results for the last quarter of 2023, the company said the attack was discovered during the weekend of September 23, 2023. The incident involved unauthorized access to its systems, data exfiltration, and the deployment of file-encrypting malware.
When the company disclosed the incident in late September, it was reported that a hacker group calling itself Dark Angels was behind the attack, with the hackers claiming to have stolen 27Tb of data from Johnson Controls.
The cybercriminals reportedly demanded a $51 million ransom in exchange for a decryption tool and to delete the stolen files, which may have included highly sensitive information.
The theft of data has been confirmed in the latest SEC filing, which reveals that the disruptions and limitations caused by the ransomware attack continued into the first quarter of 2024. Impacted systems and applications have now been restored, the company said.
“The impact on net income for the three months ended December 31, 2023 of lost and deferred revenues, net of revenues deferred at the end of fiscal 2023 and recognized in the first quarter of fiscal 2024, and expenses during the quarter was approximately $27 million,” Johnson Controls said. “These impacts were primarily attributable to expenses associated with the response to, and remediation of, the incident, and are net of insurance recoveries.”
The company expects additional expenses related to the incident throughout 2024, mainly in the first half of the year.
“These expenses include third-party expenditures, including IT recovery and forensic experts and others performing professional services to investigate and remediate the incident, as well as incremental operating expenses incurred from the resulting disruption to the Company’s business operations. Further, the cybersecurity incident caused disruptions to certain of the Company’s billing systems, which negatively impacted cash provided from operations during the first quarter of fiscal 2024,” the firm added.
Johnson Controls said many of the costs associated with containing, investigating and remediating the cyberattack, along with losses caused by business disruptions, should be covered by insurance.