Editor’s note: This article was originally published on September 29, 2023 and has been updated on October 13, 2023 with a statement by Johnson Controls.
Alarm and building automation system giant Johnson Controls might have “compromised sensitive physical security information such as DHS floor plans,” according to a CNN report that says the government contractor was the victim of a recent cybersecurity attack.
The senior department of Homeland Security officials “are working to determine” the extent of the breach, according to internal DHS correspondence reviewed by CNN reporters Priscilla Alvarez and Sean Lyngaas.
Johnson Controls “holds classified/sensitive contracts for DHS that depict the physical security of many DHS facilities,” the internal memo says, per the CNN report.
The looming potential government shutdown — which could start Sunday morning if Congress can’t strike a last-minute deal — makes it “especially time sensitive” to determine which DHS offices might be affected by the attack, the memo clarifies.
“Until further notice, we should assume that [the contractor] stores DHS floor plans and security information tied to contracts on their servers,” the memo adds, according to the CNN report, which adds that it is “unclear if the cybercriminal hackers accessed that information.”
“We do not currently know the full extent of the impact on DHS systems or facilities,” the internal DHS memo says, according to the CNN report.
The Biden administration has tried to tighten cybersecurity for government contractors by compelling them to meet a minimum set of security standards, the CNN report says. It’s unclear if the hackers in the Johnson Controls case demanded a ransom to return the information to them, according to the report.
Inside the Johnson Controls Cyberattack
The cyberattack hit Johnson Controls in the last week, causing disruptions to internal IT systems and knocking some of the company’s subsidiary websites offline, CNN reports. It’s “expected to continue to cause disruptions to some of Johnson Controls’ business operations,” according to a company filing with the U.S. Securities and Exchange Commission on Wednesday.
Johnson Controls has hired “external cybersecurity experts” to recover from the “cybersecurity incident,” and is in touch with its insurers, the SEC filing says, according to the CNN report. Company spokesman Trent Perrotto declined to comment when CNN asked what DHS data the company stores and whether sensitive physical security information was compromised in the cyberattack. Perrotto referred CNN to the company’s SEC filing.
Efforts to reach Johnson Controls officials for more information about the cyberattack were unsuccessful. CNN could not independently confirm which cybercriminal group was responsible for the breach of Johnson Controls.
DHS officials are also checking to see whether any personally identifiable information of DHS officials was swept up in the hack, according to the internal correspondence reviewed by CNN.
A Johnson Controls spokesperson has since issued the following statement: “We have experienced disruptions in portions of our internal information technology infrastructure and applications resulting from a cybersecurity incident. Promptly after detecting the issue we began an investigation with assistance from leading external cybersecurity experts and are also coordinating with our insurers. We continue to assess what information was impacted and are executing our incident management and protection plan, including implementing remediation measures to mitigate the impact of the incident, and will continue taking additional steps as appropriate. To date, many of our applications are largely unaffected and remain operational. To the extent possible, and in line with our business continuity plans, we implemented workarounds for certain operations to mitigate disruptions and continue servicing our customers. However, the incident has caused, and is expected to continue to cause, disruption to parts of our business operations. We are assessing whether the incident will impact our ability to timely release our fourth quarter and full fiscal year results, as well as the impact to our financial results.”
This article was originally published on our sister site, Security Sales and Integration.
