Cyber Incident Victim: AECOM

In July 2014, Los Angeles-based global engineering and architectural firm AECOM notified current and former U.S. employees of a cybersecurity incident involving unauthorized access to payroll data. The breach exposed sensitive personal information including full names, residential addresses, Social Security numbers, and bank account details with routing numbers for individuals on U.S. payroll systems. AECOM's Senior Vice President and Chief Information Officer Tom Peck formally disclosed the incident through a notification letter submitted to the California Attorney General's Office, confirming the compromise affected both active employees and former personnel. The intrusion specifically targeted payroll records, though the exact method of unauthorized access and duration of system compromise were not detailed in public disclosures. As a multinational corporation operating across 150 countries with thousands of employees, the breach impacted a significant subset of AECOM's workforce concentrated within its U.S. operations.

The company initiated breach notifications through direct correspondence to affected individuals following the discovery of unauthorized data access. Peck's notification letter explicitly confirmed the exposure scope was limited to U.S. payroll systems and did not extend to international employee records or client project data. While AECOM did not publicly disclose the total number of impacted individuals, the breach notification filing with California authorities indicated a substantial workforce exposure given the company's status as a major federal contractor and infrastructure developer. No evidence suggested public release or misuse of stolen data at the time of notification. The incident marked one of several corporate payroll system breaches affecting U.S. enterprises during 2014, though AECOM did not publicly attribute the attack to specific threat actors or disclose whether law enforcement investigations were underway.