Johnson Controls Data Breach: 76 Million Home and Small Business Security Systems’ Data Exposed on Dark Web

Posted on
By James Woods
Managing Partner
johnson controls data breach investigation

NEW YORK, NY – [July 1, 2025] – Woods Lonergan PLLC, a leading complex litigation firm specializing in class action data breach lawsuits and data privacy litigation, is actively investigating a potential class action lawsuit against Johnson Controls International (JCI). This investigation follows JCI’s recent notification to individuals about a massive ransomware attack that occurred in September 2023, which compromised their internal IT infrastructure and led to the theft of over 27 terabytes of data. 

This breach is now confirmed to affect an astounding over 76 million households and 7 million small businesses globally.

Johnson Controls, a multinational conglomerate headquartered in Milwaukee, WI, is renowned for its building technologies, industrial control systems, and security solutions. The company recently detected unauthorized access to its systems. The incident, attributed to the Dark Angels ransomware group, involved a protracted period of unauthorized access spanning eight months, from February 1, 2023, to September 30, 2023. Despite discovering the breach in September 2023, Johnson Controls only began notifying affected individuals in July 2025 – an alarming delay of approximately 22 months. This significant lapse in timely notification leaves millions vulnerable to identity theft and other serious harms.

Sensitive Data Exposed: Your Personal, Financial, and Home Security Information Could Be at Risk

The 27 terabytes of data stolen in the Johnson Controls ransomware attack included an alarming range of personal and sensitive information for a staggering number of individuals across 76 million households, which goes far beyond typical financial data:

  • Personal Identifying Information (PII): Full Names, Contact Information (postal and email address, telephone number), Dates of Birth, Social Security Numbers (SSNs), Passwords.
  • Financial Information: Financial Account Information.
  • Health Information: If your personal or medical records were part of any data JCI collected (e.g., from certain systems or client data).
  • Building Floor Plans: Your home or building’s detailed layouts.
  • Physical Security Details: Information related to your physical security setup.
  • Biometric Data: If your JCI security system utilizes facial recognition or fingerprinting.
  • Alarm Activity & System Performance: Logs of your security system’s activity and performance.

The exposure of such critical and intimate data, especially building plans and security details, presents unique and severe risks to the physical safety and long-term privacy of those impacted by the Johnson Controls breach. 

_________________________________________________________________________________________

If you are a homeowner, individual, or small business whose information may have been compromised in the Johnson Controls data breach, or if you have recently received a data breach notification letter from JCI, your personal, financial, and physical security privacy may be at severe risk. Call us 24/7 at (332) 330-3164 for a free and confidential consultation. Woods Lonergan’s expert data breach lawyers are skilled at securing the affected parties the justice they deserve. Call us 24/7 at (332) 378-0376 – we take no fees unless you win.

Details of the Johnson Controls Data Breach: A Protracted & Massive Compromise

Johnson Controls International (JCI), a global leader with over 100,000 employees and $27.4 billion in sales in 2024, headquartered in Milwaukee, WI, specializes in building technologies, industrial control systems, and comprehensive security solutions-effectively acting as cybersecurity and physical security providers for homes and businesses. Despite their own stated commitment to “rapid response” cybersecurity, JCI suffered a massive ransomware attack that severely impacted its internal IT infrastructure.

The incident involved unauthorized access to JCI’s systems spanning an alarming eight months, from February 1, 2023, to September 30, 2023. While Johnson Controls became aware of the attack in September 2023, it has taken them until July 2025 – nearly 22 months later – to begin notifying affected individuals. This extreme delay in notification is a critical point of concern and potential gross negligence, leaving victims unaware of the fact that their sensitive data had been exposed for almost two years.

The Johnson Controls cyberattack has been attributed to ransomware group Dark Angels. This sophisticated cybercriminal operation, active since at least 2022, is known for its high-impact, double-extortion attacks. Dark Angels specifically focuses on stealing vast amounts of sensitive data before encrypting systems, then threatening to publish the stolen information on its dark web leak site, “Dunghill Leaks,” if a ransom is not paid (in JCI’s case, a $51 million demand).

Notifications from Johnson Controls to impacted individuals were made both online, on their website, and through the U.S. Postal Service. Additional information and official disclosures can be found on the Texas Attorney General’s website, the California Attorney General’s website, the Vermont Attorney General’s website, and the Johnson Controls Notice of Data Breach.

_________________________________________________________________________________________

If you are a homeowner, individual, or small business whose information may have been compromised in the Johnson Controls data breach, or if you have recently received a data breach notification letter from JCI, your personal, financial, and physical security privacy may be at severe risk. Contact Woods Lonergan for a free and confidential consultation. Woods Lonergan’s expert data breach lawyers are skilled at securing the affected parties the justice they deserve. Call us 24/7 at (332) 378-0376 – we take no fees unless you win.

_________________________________________________________________________________

Who Was Affected by the Johnson Controls Data Breach? 

The Johnson Controls data breach is of unprecedented scale, impacting an estimated over 76 million households and 7 million small businesses. This broad scope means a vast array of individuals are potentially affected, particularly:

  • Any individual who receives a data breach notification letter from Johnson Controls International (notifications reportedly began in July 2025).
  • Homeowners with Johnson Controls Security Systems: Even if purchased via third-party distributors (e.g., Simplix, York, Tyco), JCI collects and stores data related to system operation, remote monitoring, and event logging via platforms like DataSource or PowerManage. This could include alarm activity, system performance data, maintenance activity, and biometric data if your system utilizes such features.
  • Individuals associated with JCI’s commercial clients: If your personal data (e.g., as an employee, contractor, or visitor) was part of “sensitive client details” stored within JCI’s systems related to building automation, HVAC, fire safety, or physical security solutions provided by Johnson Controls.
  • Current and former employees of Johnson Controls International and its subsidiaries (York, Tyco, Luxaire, Coleman, Ruskin, Grinnel, Simplex) whose employment records were part of the breach.

Potential Impact on Individual Victims of the Johnson Controls Data Breach

The Johnson Controls data breach places an unprecedented number of individuals at significant and ongoing risk, including unique threats due to the nature of JCI’s business:

  • Financial Identity Theft: Compromised SSNs, financial account numbers, and other PII can be exploited to open fraudulent accounts, make unauthorized purchases, and commit other forms of financial fraud.
  • Medical Identity Theft: If health information was exposed, it could be used to obtain fraudulent medical services, prescriptions, or equipment, leading to inaccurate medical records and financial burdens.
  • Tax Fraud: Stolen SSNs are a prime target for filing fraudulent tax returns.
  • Targeted Phishing and Social Engineering Attacks: The detailed personal and security information makes victims highly vulnerable to sophisticated scams designed to extract even more sensitive data, or to gain physical access.
  • Severe Privacy Violations: The compromise of personal data, especially related to home security systems, is a profound invasion of privacy.
  • Direct Physical Security Risk: The exposure of building floor plans and security details creates a tangible threat, potentially making homes or properties vulnerable to physical intrusion and targeting by criminals. This is a highly unusual and alarming consequence for a data breach.
  • Emotional Distress and Anxiety: The realization that intimate personal data and physical security details have been compromised can cause significant and lasting emotional distress.

Legal Claims in the Johnson Controls Data Breach Lawsuit Investigation

Woods Lonergan PLLC’s Data Breach attorneys are focused on potential violations of law and legal claims in the Johnson Controls data breach case, given the scale of the data breach and alarming details:

  • Gross Negligence / Egregious Delay: Johnson Controls’ failure to adequately protect such highly sensitive data, particularly for a company that itself offers cybersecurity solutions, and touts a “rapid response” commitment to cyber security threats. The eight-month unauthorized access window and the 22-month delay in notifying affected individuals appear to demonstrate a failure in duty to both safeguard data and inform victims in a timely manner as required by law.
  • Breach of Contract/Breach of Duty: JCI’s own stated commitment to “rapid response,” “remediating vulnerabilities,” and “protecting security interests” for its smart building and security clients creates a strong argument for breach of contract or an implied duty to protect the very data they are now confirming was stolen on a massive scale.
  • State Data Breach Notification Laws: Violations of relevant state laws requiring timely notification. The extraordinary delay by JCI likely constitutes a violation of numerous state statutes that mandate notification “without unreasonable delay” or within specific timeframes.
  • HIPAA Violations: To the extent that health information (PHI) was compromised, JCI may also be found in violation of its obligations under the Health Insurance Portability and Accountability Act (HIPAA).
  • Other Potential Claims: Depending on the specific circumstances and applicable state laws, additional claims may be possible as our investigation uncovers more details.

Johnson Controls data breach represents an unprecedented failure of cybersecurity for a company that positions itself as a leader in security solutions,” said Jim Woods, Managing Partner of Woods Lonergan PLLC. “The sheer scale – impacting 76 million households – coupled with an almost two-year delay in notifying victims and the theft of incredibly sensitive data like building floor plans and security details, is a grave breach of trust. When a company holds itself out as a security expert, it has an even higher responsibility. Our firm is committed to holding Johnson Controls accountable for this egregious incident and securing justice and full compensation for every affected individual.”

The Dark Angels Ransomware Group: Behind the Attack

Dark Angels leverages malware based on leaked Babuk and Ragnar Locker ransomware source code. Their tactics include exploiting vulnerabilities and deploying phishing campaigns to gain initial access. Their successful infiltration of a major security solutions provider like Johnson Controls, and their ability to exfiltrate 27 TB of highly sensitive corporate and client data, underscores the severity of their capabilities.

Which Security Systems are impacted in the Johnson Controls Security Breach?

Several well-known security system brands owned by Johnson Controls are widely used in homes and small businesses across the U.S. and globally. If you or your business use any of the following systems, your data may have been part of this breach:

  • DSC – Intrusion detection systems frequently installed in homes and small businesses across the U.S.
  • Qolsys – Maker of the popular IQ Panel used in smart home security setups nationwide.
  • Visonic – Wireless alarm systems found in many U.S. residences, including apartments and condos.
  • Cloudvue – Cloud-based video surveillance and access control platform used by modern homeowners and small commercial properties.
  • Exacq, Illustra, and Kantech – Video management and access control technologies used in retail locations, multi-unit residential buildings, and mid-sized offices.

What Individuals Affected by the Johnson Controls Data Breach Should Do Now

If you believe your personal, financial, or home security information was exposed in the Johnson Controls data breach, or if you have recently received a data breach notification letter from JCI, taking immediate and proactive steps is crucial:

  • Review the Notification Letter: Carefully read any communication, including emails from Johnson Controls and its subsidiaries to understand which specific types of your personal information were exposed. 
  • Monitor Financial Accounts and Credit Reports: Closely scrutinize all financial statements, credit card activity, and your credit reports for any unauthorized or suspicious transactions. You are entitled to a free credit report annually from each of the three major credit bureaus.
  • Consider a Fraud Alert or Credit Freeze: Placing a fraud alert makes it harder for identity thieves to open new accounts in your name. A credit freeze offers stronger protection by restricting access to your credit report altogether.
  • Change Passwords: Immediately update passwords for all online accounts, especially those linked to any Johnson Controls products or services you use, or accounts that share similar credentials. If your home security system or smart building system relies on JCI components, consider updating passwords for those as well.
  • Be Vigilant Against Phishing Attempts: Be highly suspicious of unsolicited emails, texts, or calls, as cybercriminals may use the stolen data to craft highly targeted phishing or social engineering attacks. Do not click suspicious links or provide personal information.
  • Assess Physical Security: Given the potential exposure of building plans and physical security details, consider reviewing and enhancing your home or property’s physical security measures.

Contact Our Data Breach Litigation Team

If you are a homeowner, individual, or small business whose information may have been compromised in the Johnson Controls data breach, or if you have recently received a data breach notification letter from JCI, your personal, financial, and physical security privacy may be at severe risk. Contact Woods Lonergan for a free and confidential consultation. Woods Lonergan’s expert data breach lawyers are skilled at securing the affected parties the justice they deserve. Call us 24/7 at (332) 378-0376 we take no fees unless you win.

Frequently Asked Questions (FAQs) About Data Breaches

General Data Breach Questions for Potential Plaintiffs:

  • What is a data breach? A data breach occurs when unauthorized individuals gain access to sensitive or confidential data, often leading to the exposure, theft, or loss of personal, financial, or proprietary information. This could involve hacking, accidental sharing, or physical theft of data storage devices.
  • What data can be compromised in a data breach? Data that can be compromised includes Personal Identifiable Information (PII) such as names, addresses, Social Security numbers, birthdates, phone numbers; Financial Information like credit card numbers or bank account details; Medical Records including health history and insurance details; Login Credentials; and even Business Data like proprietary information or intellectual property.
  • How do data breaches happen? Data breaches can occur through various methods, including hacking (cybercriminals exploiting vulnerabilities), phishing (fraudulent emails tricking users), malware (malicious software infecting systems), and insider threats (employees or contractors intentionally or accidentally exposing data).
  • What should I do if I believe my data has been breached? Immediately change passwords for any affected accounts, monitor bank accounts and credit cards for unusual activity, notify affected organizations, report to authorities in cases of identity theft, consider placing fraud alerts or credit freezes, and stay alert for phishing scams.
  • How can I protect myself from data breaches? To reduce risk, use strong and unique passwords, enable multi-factor authentication, be cautious of phishing scams, update software regularly, encrypt sensitive data, use secure networks, and regularly review privacy settings on online accounts.
  • What is the difference between a data breach and a data leak? A data breach typically involves unauthorized access or intrusion into a system to steal data. A data leak may not involve malicious intent but still results in the unintended disclosure of information (e.g., misconfigured server exposes data). Both can be harmful.
  • Can a company be held liable for a data breach? Yes. Companies can be held liable, often on grounds of negligence (failing to take reasonable security measures), breach of contract, or violations of state and federal data protection laws (like HIPAA or specific state notification statutes).
  • What is a data breach notification? A data breach notification is a formal communication from the breached entity informing affected individuals that their personal information has been compromised. Many state and federal laws mandate these notifications within specific timeframes.

Specific Questions for Johnson Controls Data Breach Victims:

  • How do I know if my household or business was affected by the Johnson Controls data breach? Johnson Controls is beginning to send out notification letters as of July 1, 2025. If you receive such a letter, your data was compromised. Given the vast scope (76M+ households), even without a letter yet, you may be affected if you are a past or present JCI customer (e.g., had a JCI-affiliated security system) or associated with one of their commercial clients.
  • What specific information related to my home security system might have been exposed? If you have a Johnson Controls security system, the breach could have exposed details like alarm activity, system performance data, maintenance activity, and potentially even biometric data if your system uses such features, in addition to your personal identifying information.
  • Can the stolen building floor plans or security details put my physical property at risk? Yes, this is a serious and unique risk. The exposure of sensitive building floor plans and security details could potentially make your property (home or business) more vulnerable to physical intrusion or targeting.
  • Why did it take Johnson Controls so long (almost 2 years) to notify individuals about this breach? This is a key question that raises concerns about JCI’s conduct. While investigations can be complex, a 22-month delay from discovery to notification is exceptionally long and may indicate a failure to follow legal requirements for timely disclosure.
  • What compensation can I seek for the unique risks from the Johnson Controls breach? Beyond standard identity theft concerns, victims of the Johnson Controls breach may be able to seek compensation for the heightened risk of physical security compromise, the unique invasion of privacy from exposed home/building data, and potential emotional distress, in addition to any financial losses incurred.

About Woods Lonergan PLLC

Woods Lonergan PLLC is a leading New York-based litigation firm specializing in complex civil litigation, including class action data privacy and cybersecurity matters. Our firm is currently representing plaintiffs in open litigation for numerous significant data breaches in 2025, including cases involving Powerschool, Ahold Delhaize, Aflac Insurance, Sunflower Medical, Community Care Alliance, DISA Global, and others. Woods Lonergan has a proven track record of successfully holding large corporations accountable for failing to protect highly sensitive consumer data.

Citations

About the Author

James Woods, Managing Partner of Woods Lonergan, holds more than 25 years of experience in corporate, real estate, and business legal matters. His expertise in handling negotiations, litigation, jury trials, and all forms of alternative dispute resolution spans multiple areas, including corporate, real estate, and commercial litigation. James actively represents dozens of Cooperative and Condominium Boards and serves as counsel to many Corporate Boards. Prior to founding the firm, James proudly served as an Assistant District Attorney for Nassau County and handled both jury and bench trials. With experience that also covers sophisticated transactions and complex acquisitions, James also serves as counsel to several domestic companies in a range of industries and commercial arenas, including real estate, insurance, banking, transportation, and construction. If you have any questions about this article you can contact attorney James Woods through his biography page.

Disclaimer: The information in this article and blog post (“post”) is provided for informational purposes only, and may not reflect the current law(s) in every jurisdiction. No information contained in this post should be construed as legal advice from Woods Lonergan PLLC or the individual author(s), nor is it intended to be a substitute for legal counsel on any subject matter. Nothing herein shall be construed to create an attorney-client relationship with Woods Lonergan PLLC. No reader of this post should act or refrain from acting on the basis of any information included in, or accessible through, this Post without seeking the appropriate legal or other professional advice on the particular facts and circumstances at issue from an attorney licensed in the recipient’s jurisdiction. This post is attorney advertising.
Attorney Advertising | Disclaimer | Privacy Policy
Website developed in accordance with Web Content Accessibility Guidelines 2.1.
If you encounter any issues while using this site, please contact us: 212.684.2500