Johnson Controls Victimized by Security Breach, DHS Investigating Extent

CNN reports Homeland Security Dept. investigating if attack on JCI compromised sensitive physical security info, such as DHS floor plans.

MILWAUKEE — Alarm and building automation system giant Johnson Controls might have “compromised sensitive physical security information such as DHS floor plans,” according to a CNN report that says the government contractor was the victim of a recent cybersecurity attack.

Senior Department of Homeland Security officials “are working to determine” the extent of the breach, according to internal DHS correspondence reviewed by CNN reporters Priscilla Alvarez and Sean Lyngaas.

“We have experienced disruptions in portions of our internal information technology infrastructure and applications resulting from a cybersecurity incident,” a Johnson Controls spokesperson says. “Promptly after detecting the issue we began an investigation with assistance from leading external cybersecurity experts and are also coordinating with our insurers.

“We continue to assess what information was impacted and are executing our incident management and protection plan, including implementing remediation measures to mitigate the impact of the incident, and will continue taking additional steps as appropriate,” the spokesperson says.

Many of Johnson Controls’ applications “are largely unaffected and remain operational,” according to the company spokesperson. To the extent possible, and in line with our business continuity plans, we implemented workarounds for certain operations to mitigate disruptions and continue servicing our customers.

“However, the incident has caused, and is expected to continue to cause, disruption to parts of our business operations. We are assessing whether the incident will impact our ability to timely release our fourth quarter and full fiscal year results, as well as the impact to our financial results,” the spokesperson says.

Johnson Controls “holds classified/sensitive contracts for DHS that depict the physical security of many DHS facilities,” the internal memo says, according to the CNN report.

“Until further notice, we should assume that [the contractor] stores DHS floor plans and security information tied to contracts on their servers,” the memo said, according to the CNN report, which added it’s “unclear if the cybercriminal hackers accessed that information.”

“We do not currently know the full extent of the impact on DHS systems or facilities,” the internal DHS memo says, according to the CNN report.

The Biden administration has tried to tighten cybersecurity for government contractors by compelling them to meet a minimum set of security standards, the CNN report says. It’s unclear if the hackers in the Johnson Controls case demanded a ransom to return the information to them, according to the report.

Inside the Johnson Controls Cyberattack

The cyberattack hit Johnson Controls in the last week, causing disruptions to internal IT systems and knocking some of the company’s subsidiary websites offline, CNN reports. It’s “expected to continue to cause disruptions to some of Johnson Controls’ business operations,” according to a company filing with the U.S. Securities and Exchange Commission on Wednesday.

Johnson Controls has hired “external cybersecurity experts” to recover from the “cybersecurity incident,” and is in touch with its insurers, the SEC filing says, according to the CNN report. Company spokesman Trent Perrotto declined to comment when CNN asked what DHS data the company stores and whether sensitive physical security information was compromised in the cyberattack.

Perrotto referred CNN to the company’s SEC filing.

CNN could not independently confirm which cybercriminal group was responsible for the breach of Johnson Controls.

DHS officials are also checking to see whether any personally identifiable information of DHS officials was swept up in the hack, according to the internal correspondence reviewed by CNN.

If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!

About the Author


Craig MacCormack is a veteran journalist who joined Security Sales & Integration in June 2023 as web editor. He covered AV, IT and security with SSI's sister publication, Commercial Integrator, from January 2011 to June 2021.

Security Is Our Business, Too

For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add sales to your bottom line.

A free subscription to the #1 resource for the residential and commercial security industry will prove to be invaluable. Subscribe today!

Subscribe Today!

Leave a Reply

Your email address will not be published. Required fields are marked *

Get Our Newsletters