DHS Investigating Extent of Johnson Controls Security Breach

CNN reports Homeland Security is investigating if attack on Johnson Controls compromised sensitive physical security information.
Published: October 2, 2023

Milwaukee, Wisconsin — Alarm and building automation system giant Johnson Controls might have “compromised sensitive physical security information such as DHS floor plans,” according to a CNN report that says the government contractor was the victim of a recent cybersecurity attack.

Senior Department of Homeland Security officials “are working to determine” the extent of the breach, according to internal DHS correspondence reviewed by CNN reporters Priscilla Alvarez and Sean Lyngaas.

Johnson Controls “holds classified/sensitive contracts for DHS that depict the physical security of many DHS facilities,” the internal memo says, according to the CNN report.

“Until further notice, we should assume that [the contractor] stores DHS floor plans and security information tied to contracts on their servers,” the memo said, according to the CNN report, which added it’s “unclear if the cybercriminal hackers accessed that information.”

——Article Continues Below——

Get the latest industry news and research delivered directly to your inbox.

“We do not currently know the full extent of the impact on DHS systems or facilities,” the internal DHS memo says, according to the CNN report.

The Biden administration has tried to tighten cybersecurity for government contractors by compelling them to meet a minimum set of security standards, the CNN report says. It’s unclear if the hackers in the Johnson Controls case demanded a ransom to return the information to them, according to the report.

Inside the Johnson Controls Cyberattack

The cyberattack hit Johnson Controls in the last week, causing disruptions to internal IT systems and knocking some of the company’s subsidiary websites offline, CNN reports. It’s “expected to continue to cause disruptions to some of Johnson Controls’ business operations,” according to a company filing with the U.S. Securities and Exchange Commission on Wednesday.

Johnson Controls has hired “external cybersecurity experts” to recover from the “cybersecurity incident,” and is in touch with its insurers, the SEC filing says, according to the CNN report. Company spokesman Trent Perrotto declined to comment when CNN asked what DHS data the company stores and whether sensitive physical security information was compromised in the cyberattack.

Perrotto referred CNN to the company’s SEC filing.

Efforts by SSI to reach Johnson Controls officials for more information about the cyberattack were unsuccessful.

CNN could not independently confirm which cybercriminal group was responsible for the breach of Johnson Controls.

DHS officials are also checking to see whether any personally identifiable information of DHS officials was swept up in the hack, according to the internal correspondence reviewed by CNN.

This article originally appeared in CS sister publication, Security Sales & Integration. Craig MaCormack is SSI’s web editor.

Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series