Connect with us

Hi, what are you looking for?


Incident Response

Johnson Controls Ransomware Attack: Data Theft Confirmed, Cost Exceeds $27 Million

Johnson Controls confirms that the recent ransomware attack resulted in data theft and says expenses reached $27 million. 

Johnson Controls

Building technology giant Johnson Controls confirmed this week that the September 2023 ransomware attack resulted in the theft of data and the company said expenses associated with the incident exceed $27 million. 

In an SEC filing detailing its financial results for the last quarter of 2023, the company said the attack was discovered during the weekend of September 23, 2023. The incident involved unauthorized access to its systems, data exfiltration, and the deployment of file-encrypting malware.

When the company disclosed the incident in late September, it was reported that a hacker group calling itself Dark Angels was behind the attack, with the hackers claiming to have stolen 27Tb of data from Johnson Controls. 

The cybercriminals reportedly demanded a $51 million ransom in exchange for a decryption tool and to delete the stolen files, which may have included highly sensitive information

The theft of data has been confirmed in the latest SEC filing, which reveals that the disruptions and limitations caused by the ransomware attack continued into the first quarter of 2024. Impacted systems and applications have now been restored, the company said.

“The impact on net income for the three months ended December 31, 2023 of lost and deferred revenues, net of revenues deferred at the end of fiscal 2023 and recognized in the first quarter of fiscal 2024, and expenses during the quarter was approximately $27 million,” Johnson Controls said. “These impacts were primarily attributable to expenses associated with the response to, and remediation of, the incident, and are net of insurance recoveries.”

The company expects additional expenses related to the incident throughout 2024, mainly in the first half of the year. 

“These expenses include third-party expenditures, including IT recovery and forensic experts and others performing professional services to investigate and remediate the incident, as well as incremental operating expenses incurred from the resulting disruption to the Company’s business operations. Further, the cybersecurity incident caused disruptions to certain of the Company’s billing systems, which negatively impacted cash provided from operations during the first quarter of fiscal 2024,” the firm added.

Advertisement. Scroll to continue reading.

Johnson Controls said many of the costs associated with containing, investigating and remediating the cyberattack, along with losses caused by business disruptions, should be covered by insurance. 

Related: MGM Resorts Says Ransomware Hack Cost $110 Million

Related: City of Dallas Details Ransomware Attack Impact, Costs 

Related: Capita Says Ransomware Attack Will Cost It Up to $25 Million 

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...


Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.