A former
Johnson Controls employee is suing the company following a 2023 data breach that left the personal information of thousands of people at risk.
The lawsuit was filed on July 3 on behalf of
Frank Hoon in U.S. District Court for the Eastern District of Wisconsin.
Hoon is a former Johnson Controls employee who allegedly had his sensitive data exposed during the September 2023 cyberattack.
Johnson Controls said via a November 2023 SEC filing that “an unauthorized actor accessed certain Johnson Controls systems from February 1, 2023 to September 30, 2023 and took information from those systems.”
Company leadership
previously said the three-week attack would cost the business approximately $60 million.
Cybersecurity analysts have linked the ransomware group
Dark Angels to the cyberattack based on the kind of technology that was used, according to the lawsuit.
The group breaches corporate networks with the eventual goal of gaining administrative access. Dark Angels also operates a data leak site called “Dunghill Leaks” that is used to extort victims, according to the complaint.
Dark Angels allegedly demanded $51 million from Johnson Controls in return for a decryptor and to delete any data stolen from the company’s network. The group allegedly stole more than 27 terabytes of documents containing corporate data.
The company waited until June 30, 2025, before it began notifying people who may have been impacted by the data breach, according to the lawsuit.
"Because of the data breach, (Hoon) has already suffered from numerous instances of identity theft and fraud. Indeed, since the data breach occurred on or around September 2023, (Hoon) has observed multiple fraudulent changes made to his financial accounts," according to the lawsuit. "(Hoon) has been forced to replace his debit cards four times in the aftermath of the data breach. Most recently, in February 2025, (Hoon) was forced to cancel his debit card from Members First Bank after observing fraudulent charges."
The lawsuit accuses Johnson Controls of negligence, breach of fiduciary duty, invasion of privacy and breach of implied contact.
"Cybercriminals were able to breach (Johnson Controls') systems because (Johnson Controls) failed to adequately train its employees on cybersecurity and failed to maintain reasonable security safeguards or protocols to protect impacted persons' personal identifiable information."
In a Monday statement, a Johnson Controls spokesperson said the company began investigating the incident as soon as it was discovered and "terminated" the unauthorized access. The company says it has taken steps to "harden our systems and enhance security controls."
"This assessment process took time to ensure that it was thorough," according to the statement. "We have sent notification letters to certain individuals and offered complimentary credit and identity monitoring services and certain fraud support services or dark web internet scanning services, where available. We have also posted information regarding the incident on our website."
Hoon is seeking restitution and damages in an amount to be determined at trial.
More articles about Johnson Controls:
