2023-09-27 Johnson Controls International plc Cybersecurity Incident

Page last updated on April 11, 2024

Johnson Controls International plc initially disclosed a cybersecurity incident in an SEC 8-K filing on 2023-09-27 17:15:35 EDT.

Incident Details

Material: Unknown
Is Breach: Unknown
Records Compromised: Unknown
Data Types Impacted: No Data Types Tracked (yet)

Compromised Date:
Detected Date:
Disclosure Date: 2023-09-27
Contained Date:
Recovered Date:

Attack Goal: Unknown

Costs: No Costs Tracked (yet)

Filings

8-K filed on 2023-09-27

Johnson Controls International plc filed an 8-K at 2023-09-27 17:15:35 EDT
Accession Number: 0000833444-23-000036

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 8.01 Other Events.

Johnson Controls International plc (the “Company”) has experienced disruptions in portions of its internal information technology infrastructure and applications resulting from a cybersecurity incident. Promptly after detecting the issue, the Company began an investigation with assistance from leading external cybersecurity experts and is also coordinating with its insurers. The Company continues to assess what information was impacted and is executing its incident management and protection plan, including implementing remediation measures to mitigate the impact of the incident, and will continue taking additional steps as appropriate. To date, many of the Company’s applications are largely unaffected and remain operational. To the extent possible, and in line with its business continuity plans, the Company implemented workarounds for certain operations to mitigate disruptions and continue servicing its customers. However, the incident has caused, and is expected to continue to cause, disruption to parts of the Company’s business operations. The Company is assessing whether the incident will impact its ability to timely release its fourth quarter and full fiscal year results, as well as the impact to its financial results.
The Company’s investigation and remediation efforts are ongoing.

Johnson Controls International plc Cautionary Statement Regarding Forward-Looking Statements

Johnson Controls International plc has made statements in this communication that are forward-looking and therefore are subject to risks and uncertainties. All statements in this document other than statements of historical fact are, or could be, “forward-looking statements” within the meaning of the Private Securities Litigation Reform Act of 1995. Words such as “may,” “will,” “expect,” “intend,” “estimate,” “anticipate,” “believe,” “should,” “forecast,” “project” or “plan” and terms of similar meaning are also generally intended to identify forward-looking statements. However, the absence of these words does not mean that a statement is not forward-looking. Johnson Controls cautions that these statements are subject to numerous important risks, uncertainties, assumptions and other factors, some of which are beyond its control, that could cause its actual results to differ materially from those expressed or implied by such forward-looking statements, including, among others: additional information regarding the extent of the cybersecurity incident that the Company may uncover during its ongoing investigation; the Company’s ability to assess and remedy the incident; the Company’s ability to service its customers during and following the incident; the compromise or improper use of sensitive, proprietary, confidential financial, or personal data or information resulting in negative consequences such as fines, penalties, or loss of reputation, competitiveness or customers; incremental expenses associated with the Company’s on-going assessment and remediation of the incident; the nature and scope of any claims, litigation or regulatory proceedings that may be brought against the Company or other affected parties as a result of the incident; the availability of insurance coverage; other legal, reputational and financial risks resulting from this or other cybersecurity incidents and the potential impact of this incident on the Company’s revenues, operating expenses, and operating results; the length and scope of disruptions to the Company’s business operations caused by the incident; and the other factors set forth in in the Company’s Annual Report on Form 10-K for the 2022 fiscal year filed with the SEC on November 15, 2022, which is available at www.sec.gov and www.johnsoncontrols.com under the “Investors” tab. Shareholders, potential investors and others should consider these factors in evaluating the forward-looking statements and should not place undue reliance on such statements. The forward-looking statements included in this communication are made only as of the date of this document, unless otherwise specified, and, except as required by law, Johnson Controls assumes no obligation, and disclaims any obligation, to update such statements to reflect events or circumstances occurring after the date of this communication.

8-K filed on 2023-11-13

Johnson Controls International plc filed an 8-K at 2023-11-13 17:27:30 EST
Accession Number: 0000833444-23-000038

Item 8.01 Other Events.

Johnson Controls International plc (the “Company”) previously announced that it had experienced disruptions in portions of its internal information technology (IT) infrastructure and applications resulting from a cybersecurity incident. The incident was initially detected by the Company during the weekend of September 23, 2023 following outages to certain of the Company’s systems. Promptly after detecting the issue, the Company implemented its incident management and response plan and business continuity plans, including implementing remediation measures to mitigate the impact of the incident and restore affected systems and functions. The Company also engaged leading cybersecurity experts and other specialized consultants to assist in its investigation and remediation of the incident, as well as the restoration of impacted applications and systems.

The cybersecurity incident consisted of unauthorized access and deployment of ransomware by a third party to a portion of the Company’s internal IT infrastructure. The incident caused disruptions and limitation of access to portions of the Company’s business applications supporting aspects of the Company’s operations and corporate functions. To date, the Company has largely restored the impacted applications and systems, and continues to execute business continuity and restoration plans for the remaining impacted applications and systems. Based on the information reviewed to date, the Company believes the unauthorized activity has been contained. The Company’s investigation and remediation efforts remain ongoing, including the analysis of data accessed, exfiltrated or otherwise impacted during the cybersecurity incident. Based on the information reviewed to date, the Company has not observed evidence of any impact to its digital products, services and solutions, including OpenBlue and Metasys.

The cybersecurity incident caused disruptions to portions of the Company’s systems that support or provide data used in financial reporting. Even though the functionality of these systems has largely been restored and the associated data has been reconciled and verified, the Company expects that, due to the timing and impact of the incident relative to the Company’s September 30, 2023 fiscal year-end, the Company will be delayed in reporting its fiscal 2023 fourth quarter and year-end results. The Company currently expects that it will report fiscal fourth quarter and year-end results by December 14, 2023 and within the Rule 12b-25 period available to the Company for its Annual Report on Form 10-K for fiscal year 2023. The Company will provide an update via press release on the specific timing of its fiscal fourth quarter and year-end results when it has greater certainty on the timing of the completion of its financial close and reporting process.

The Company continues to evaluate the business, financial and related impacts of the cybersecurity incident on its fiscal 2023 fourth quarter and year end results.

Company Information