Johnson Controls notifies victims of breach in 2023 ransomware attack

Global automation systems manufacturer Johnson Controls on June 30 notified “certain individuals” affected by a 2023 ransomware attack attributed to the Dark Angels that compromised its ESXi servers and forced the company to take down its systems.

Based on the investigation conducted after Johnson Controls learned of the incident in September 2023, the company determined that the threat group accessed “certain” Johnson Controls systems from Feb. 1, 2023, to Sept. 30, 2023, and stole information.

In the letter it sent Monday, Johnson Controls said the information may have included personal information provided to the company during the course of employment, contract work or through other interactions.

However, while a spokesperson for Johnson Controls confirmed the threat actor took information about the victims, including names, the company did not offer further information about the nature of the data stolen.

It was not clear as of Tuesday why it took so long for Johnson Controls to notify the affected parties, other than the company saying the "assessment process took time to ensure that it was thorough."

Agnidipta Sarkar, chief evangelist at ColorTokens, said while most laws stipulate that companies notify affected individuals as reasonably expeditiously as possible and without unreasonable delay, the legality of disclosure has its own caveats. Sarkar said some states like Colorado, Florida, and Maine, say that affected individuals must be notified no later than 30 days, and some others must be notified within 45 days, but only "after conclusion of investigation."

“This usually helps organizations to notify after the forensic report is made available,” said Sarkar. “And while Ireland, where Johnson Controls is headquartered, is one of the most stringent geographies regarding data breaches, the GDPR also employs the same language when it comes to notifying individuals.”

Sarkar added that having worked on both sides, the solution does not lie in imposing more stringent deadlines, but in insisting that the governing body of every organization be held accountable for being breach-ready.

“The board members should be penalized personally for not having governed the state to be breach-ready and for not empowering C-level executives to ensure that the opportunity for breaches is reduced,” said Sarkar. “After the breach, it’s too late, as the individual will always be vulnerable to scammers.”