Johnson Controls Data Breach Exposes Employees' Sensitive Information

Published

July 1, 2025

Updated

July 31, 2025

Johnson Controls

Types of INFORMATION affected

Names
Social Security Numbers
Dates of Birth
Addresses
Government IDs
Medical Info
Financial Info

On February 1, 2023, Johnson Controls International plc, a global leader in building products and solutions, experienced a major data breach. The incident was later disclosed to state authorities in California, Texas, and Vermont on June 30 and July 1, 2025. According to official filings, the breach affected at least 38,037 individuals in Texas alone, with additional impacts in other states.

The breach involved unauthorized access to internal systems, resulting in the exposure of personal information. The types of consumer information exposed included personal information provided to the company by employees, contract workers, and while in the job application process.

While the specific method of intrusion and the identity of the perpetrators have not been publicly detailed, the nature of the exposed information suggests that personally identifiable information (PII) was compromised. There is no indication that protected health information (PHI) was involved.

The breach was reported to the California Attorney General, Iowa Attorney General, New Hampshire Attorney General, Texas Attorney General, Washington Attorney General, and the Vermont Attorney General. Johnson Controls also posted a notice for affected individuals on their dedicated FAQ page.

Johnson Controls's response

In response to the breach, Johnson Controls provided notification to affected consumers via U.S. Mail and by posting information on a special section of their website. The company’s FAQ page offers guidance for those impacted, outlining recommended steps to protect personal information. If you received a notice, it is important to remain vigilant by monitoring your financial accounts and credit reports for suspicious activity.

Given the exposure of names and other personal details, affected individuals should be cautious of potential phishing attempts or fraudulent communications that may reference the breach. While no financial or health data has been reported as compromised, it is wise to use strong, unique passwords for your accounts and consider placing a fraud alert or credit freeze with the major credit bureaus if you have concerns about identity theft.

For more information, visit the Johnson Controls website.

Protect Your Data

A breach notice means your personal details could be circulating far beyond the organization involved. One practical step is continuous monitoring: services such as Identity Defender (included with an ExpressVPN subscription) can automatically check dark-web markets, flag new credit-file activity, and request removal of your information from data-broker sites.

This kind of “early-warning system” can’t undo a breach, but it can help you spot misuse quickly and limit further exposure. ExpressVPN is offering 61% off, risk-free for 30 days, with ID Theft Insurance included and no extra cost for those who sign up for one or two years.