Cyber Incident Victim: AECOM
Date:
Jul 2014
Location:
United States of America
Summary
A global architectural and engineering firm experienced a payroll system breach compromising sensitive personal and financial data of current and former U.S. employees. The incident exposed names, addresses, Social Security numbers, and bank account details including routing information. The organization notified affected individuals and reported the intrusion to regulatory authorities, confirming the breach exclusively impacted individuals on U.S. payroll systems. Senior leadership acknowledged the unauthorized access through official correspondence while emphasizing the scope limitation to domestic personnel records.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In July 2014, Los Angeles-based global engineering and architectural firm AECOM notified current and former U.S. payroll employees of a data breach involving their personal information. The company, which provides services across 150 countries and employs thousands worldwide, disclosed the incident through a letter signed by Senior Vice President and Chief Information Officer Tom Peck. Peck confirmed unauthorized parties had accessed systems containing sensitive employee payroll data, though the breach exclusively affected individuals on U.S. payroll systems, both past and present. Exposed information included full names, residential addresses, Social Security numbers, and personal bank account numbers with routing details. AECOM formally reported the breach to the California Attorney General’s Office prior to issuing notifications, indicating compliance with state breach disclosure laws. The company did not specify the exact number of affected individuals but characterized the incident as a targeted intrusion rather than a system-wide compromise. No client data or international employee records were impacted according to available disclosures.
AECOM’s response centered on direct notification to impacted personnel and regulatory authorities, with Peck’s letter serving as the primary communication vehicle. The firm did not publicly describe technical details regarding the intrusion’s origin, duration, or detection methods. Similarly, no information was provided about containment measures, forensic investigations, or whether law enforcement was engaged. The breach exposed financial identifiers and government-issued identification numbers capable of facilitating identity theft and fraudulent transactions, creating significant risks for affected employees. AECOM’s disclosure emphasized the U.S.-limited scope of the incident while acknowledging the global scale of its operations, though mitigation offerings to victims—such as credit monitoring—were not mentioned in the public notification. The incident marked one of several high-profile payroll system breaches affecting U.S. corporations during that period.