Johnson Controls has started notifying individuals affected by the major data breach and ransomware attack that occurred in September 2023. The breach, attributed to the Dark Angels ransomware group, resulted in the theft of over 27 terabytes of data, including sensitive corporate information, building floor plans, client details, and potentially personal information of individuals associated with Johnson Controls and its clients.
Key Details of the Breach and Notification
The attack was discovered during the weekend of September 23, 2023. Johnson Controls confirmed data theft and operational disruptions in SEC filings and public statements. The breach impacted Johnson Controls’ operations worldwide, with data exposed from over 76 million households and 7 million small businesses, though the exact number of individuals whose personal data was compromised remains undisclosed.
Stolen data included sensitive internal documents, trade secrets, building security details, and possibly personal information such as names and contact details. The U.S. Department of Homeland Security (DHS) investigated the breach due to concerns that sensitive government facility floor plans and security information may have been compromised.
Notification Process
Johnson Controls is now sending out data breach notification letters to individuals whose information was identified among the stolen data. These notices are required by law in many jurisdictions, including California, where a sample of the notification must be submitted to the Attorney General. The notifications typically inform recipients about the nature and timing of the breach, what types of personal information may have been compromised, steps the company is taking to address the breach, and recommendations for protecting oneself from potential identity theft or fraud.
What Should Affected Individuals Do?
Recipients of the notification are urged to monitor their financial accounts and credit reports for unusual activity. Law firms are investigating potential class action lawsuits and advising affected individuals of their rights and possible remedies.
Those who receive a breach notice should follow the instructions provided, which may include enrolling in credit monitoring or identity theft protection services at no cost.
