Dive Brief:
- Johnson Controls International spent $23 million on its response and remediation of a September ransomware attack that disrupted and limited access to internal IT systems, the company said Tuesday in a quarterly filing with the Securities and Exchange Commission.
- The company, which manufactures industrial control systems, physical security systems and facility-related technology and infrastructure, reported an additional $4 million in lost and deferred revenues from the attack. The incident response and associated lost revenues amounted to a collective $27 million impact on net income for the company’s first quarter of fiscal year 2024, which ended Dec. 31.
- “The cybersecurity incident consisted of unauthorized access, data exfiltration and deployment of ransomware by a third party to a portion of the company’s internal IT infrastructure,” Johnson Controls said in the filing.
Dive Insight:
The attack, which threat analysts at the time described as severe, led to widespread concerns about potential downstream impacts on Johnson Controls’ customers.
The company, founded in Milwaukee but headquartered in Cork, Ireland, said its investigation and remediation efforts remain ongoing, including analysis of the data accessed, stolen or otherwise impacted during the attack.
“Based on the information reviewed to date, the company believes the unauthorized activity has been contained and has not observed evidence of any impact to its digital products, services and solutions, including OpenBlue and Metasys,” Johnson Controls said.
The company said it expects to incur additional losses from its response and remediation efforts throughout fiscal 2024. Yet, it doesn’t expect the overall impact of the attack to be material on net income, as it anticipates a substantial portion of direct costs to be reimbursed through insurance recoveries.
