Full Report
For the bargain price of 6.5 bitcoin A cybercrook claims to have breached Pickett and Associates, a Florida-based engineering firm whose clients include major US utilities, and is selling what they claim to be about 139 GB of engineering data about Tampa Electric Company, Duke Energy Florida, and American Electric Power. The price is 6.5 bitcoin, which amounts to about $585,000.…
Analysis Summary
# Incident Report: Alleged Pickett and Associates Engineering Data Breach
## Executive Summary
A cybercriminal publicly claimed to have successfully breached Pickett and Associates, a Florida-based engineering firm specializing in utility infrastructure services. The attacker is currently attempting to sell approximately 139 GB of engineering data pertaining to major US utility clients, including Tampa Electric Company, Duke Energy Florida, and American Electric Power, for 6.5 Bitcoin (approx. $585,000). The full timeline, specific entry vector, and definitive confirmation of the breach are pending full investigation.
## Incident Details
- Discovery Date: January 2, 2026 (Date of public claim/sale)
- Incident Date: Unknown (Occurred prior to January 2, 2026)
- Affected Organization: Pickett and Associates
- Sector: Engineering Services / Critical Infrastructure Support
- Geography: Tampa, Florida, USA
## Timeline of Events
### Initial Access
- Date/Time: Unknown (Pre-Jan 2, 2026)
- Vector: Not disclosed in the article. (Implied remote access or system compromise)
- Details: The attacker claims to have accessed and exfiltrated proprietary engineering data belonging to Pickett and Associates.
### Lateral Movement
- Not disclosed in the article.
### Data Exfiltration/Impact
- Date/Time: Unknown (Prior to public sale announcement)
- Details: Approximately 139 GB of data, including 892 claimed stolen files, were exfiltrated. The data primarily consists of "real, operational engineering data from active projects of major utilities," including LiDAR point cloud files (.las), orthophotos (.ecw), MicroStation design files, and vegetation feature files (.xyz).
### Detection & Response
- Date/Time: January 2, 2026 (Public reporting/alert)
- Details: The incident became public knowledge when screenshots of the data sale were shared on social media and posted on the Daily Dark Web. Pickett USA provided no comment when contacted by media.
- Response actions taken: No specific containment or investigation actions by Pickett or affected utilities were detailed in the provided text.
## Attack Methodology
- Initial Access: Unknown (Claimed compromise)
- Persistence: Unknown
- Privilege Escalation: Unknown
- Defense Evasion: Unknown
- Credential Access: Unknown
- Discovery: Unknown
- Lateral Movement: Unknown
- Collection: File collection resulting in 139 GB of engineering data.
- Exfiltration: Data was uploaded to a location accessible by the criminal for sale.
- Impact: Unauthorized access and potential theft of sensitive infrastructure planning/design data.
## Impact Assessment
- Financial: Asking price of $585,000 (6.5 BTC) for the data outright. Potential future remediation and investigation costs are unknown.
- Data Breach: Approximately 139 GB of engineering data, proprietary LiDAR scans, and design files belonging to Tampa Electric Company, Duke Energy Florida, and American Electric Power.
- Operational: The data's nature (operational engineering data for active projects) presents a significant risk to the utility sector if misused for infrastructure analysis or targeted attacks.
- Reputational: Significant reputational damage to Pickett and Associates due to the highly sensitive nature of the compromised client data.
## Indicators of Compromise
- Network indicators: None disclosed (Sales advertisement observed on public/dark web platforms).
- File indicators: 892 files stolen, notably .las, .ecw, .xyz, and MicroStation design files.
- Behavioral indicators: Criminal publicly advertising sale/proof of data access on social media platforms and the Daily Dark Web.
## Response Actions
- Containment measures: Not disclosed.
- Eradication steps: Not disclosed.
- Recovery actions: Not disclosed.
*(Note: Media attempted contact with Pickett USA, who offered no comment.)*
## Lessons Learned
- Client data protection is paramount, especially when handling critical infrastructure engineering data.
- A lack of immediate public comment from the vendor raises concerns regarding incident readiness and transparency.
- The monetization strategy by the threat actor (high price for specialized data) indicates targeting of information with known high-value utility/OT risk.
## Recommendations
- Immediately engage third-party forensic investigators to confirm the scope, authenticity, and method of breach.
- Review and segment access controls for client-specific projects, particularly for sensitive engineering files handled by third-party design firms like Pickett.
- Implement enhanced monitoring for large outbound data transfers originating from engineering workstations.
- Develop a transparent and rapid communication plan for informing high-value clients (like the named utilities) in the event of a confirmed breach.