Hackers claim breach of Pickett and Associates, offers for sale US utility infrastructure data

A hacker claims to have breached Pickett and Associates, a Florida-based engineering firm that provides services to major energy providers. The attacker is offering for sale a claimed 139 GB of stolen data on a dark web forum for 6.5 Bitcoin, which is valued at approximately $585,000 at reporting. 

The data reportedly belongs to three large American power companies: Tampa Electric Company, Duke Energy Florida, and American Electric Power (AEP).

The stolen files allegedly include 892 items described as operational engineering data suitable for infrastructure analysis and risk assessment. The attacker claims the data set contains more than 800 raw LiDAR point cloud files in .las format, which are used for mapping transmission line corridors and substations, high-resolution orthophotos, MicroStation design files, and PTC settings that detail the layout of conductors and structures.

The impact of this breach extends to millions of utility customers across multiple states. Tampa Electric serves 860,000 customers in Florida, while Duke Energy Florida and American Electric Power serve nearly 7.6 million customers combined. 

Duke Energy has confirmed it is investigating the claims and Pickett and Associates has declined to comment on the incident claims.