TL;DR: A cybercriminal is selling 139GB of sensitive engineering data stolen from Pickett USA, a Tampa-based firm that provides services to major US utilities. The data includes LiDAR point clouds of transmission line corridors, substation layouts, high-resolution aerial imagery, and design files for Tampa Electric Company, Duke Energy Florida, and American Electric Power. The asking price: 6.5 Bitcoin (~$600,000). Duke Energy has launched an investigation. The breach likely originated from compromised cloud credentials. This is exactly the kind of data that could enable physical attacks on power infrastructure.
What Happened
In early January 2026, security researchers discovered a listing on a dark web forum: 139GB of engineering data from Pickett and Associates (Pickett USA), a Florida-based engineering firm specializing in transmission line design, aerial surveying, and LiDAR services for utility companies.
The seller claims the data represents "real, operational engineering data from active projects of major utilities." That's not hyperbole. The data includes:
- 800+ LiDAR point cloud files (.las format, 100MB-2GB each): detailed 3D mapping of transmission corridors
- Full substation coverage: bare earth, vegetation, conductors, and structural layouts
- High-resolution orthophotos (.ecw format): aerial imagery of infrastructure
- MicroStation design files (.dgn): engineering schematics and configurations
- Vegetation feature datasets (.xyz format): clearance zone mapping
The affected utilities include Tampa Electric Company (TECO), Duke Energy Florida, and American Electric Power (AEP): companies that serve millions of customers across the southeastern United States.
The Price of Power Grid Data
The cybercriminal is asking 6.5 Bitcoin, approximately $585,000 to $600,000 at current rates. That's a fraction of what nation-state actors or sophisticated criminal groups might pay for reconnaissance data on critical infrastructure.
This isn't abstract. LiDAR data shows exactly where transmission lines run, how they're structured, what the clearance zones look like, and where substations are located. Combined with design files and aerial imagery, a buyer would have a complete picture of how to physically disrupt power delivery to millions of homes and businesses.
The seller describes the dataset as suitable for "infrastructure analysis, modeling, and risk assessment." That's the sanitized version. The unsanitized version: this data could guide sabotage.
How They Got In
Pickett USA hasn't publicly commented on the breach. But security researchers tracking the incident have identified a likely attack vector: infostealer malware compromising cloud file storage credentials.
Infostealers are commodity malware designed to harvest saved passwords, browser cookies, and authentication tokens. Once an employee's credentials are stolen, attackers can access cloud storage platforms directly, no network penetration required.
This is the "Extended Enterprise" vulnerability that security researchers keep warning about. Major utilities like Duke Energy may have strong internal security. But their vendors? Their engineering subcontractors? Their cloud file-sharing platforms? Each represents a potential entry point for attackers who want utility data without attacking the utility directly.
Pickett USA specializes in aerial surveying and LiDAR services. They're exactly the kind of vendor that has detailed infrastructure data flowing through their systems constantly. That makes them a target.
Who's Investigating
Duke Energy confirmed they're investigating the claims. In a statement, the company said their cybersecurity team is "working to protect our systems and information" in response to the alleged breach.
Tampa Electric and American Electric Power have not publicly commented.
Pickett USA has been silent. Their website is still operational. They're still advertising LiDAR and engineering services to utility clients. Business as usual, apparently.
The Supply Chain Pattern
This breach follows a familiar pattern that has defined major cyber incidents in recent years:
- Target the vendor, not the victim: Utilities have security teams. Engineering subcontractors often don't.
- Steal credentials, not networks: Why hack through firewalls when you can phish a password?
- Monetize the data: Sell to the highest bidder: nation-states, ransomware groups, or just curious attackers with Bitcoin.
We've seen this pattern with SolarWinds, MOVEit, and dozens of other supply chain attacks. The target companies often don't know they're exposed until their data shows up on a dark web marketplace.
Critical infrastructure is particularly vulnerable because the industry relies heavily on specialized vendors. Power companies can't do everything in-house. They need surveyors, engineers, equipment manufacturers, software providers. Each vendor is a potential breach vector.
Why This Data Is Dangerous
Infrastructure attacks are increasingly physical. In recent years, we've seen:
- Gunfire attacks on substations in North Carolina (December 2022) that left 45,000 without power
- Coordinated attacks on Pacific Northwest electrical infrastructure (2022-2023)
- Multiple foiled plots against power grid components
The FBI and DHS have warned repeatedly about the vulnerability of the electrical grid to physical attacks. What makes this breach concerning is the precision of the stolen data.
LiDAR point clouds aren't just images, they're precise 3D measurements. Combined with substation layouts and transmission corridor data, an attacker could identify exactly where damage would cause maximum disruption: critical junction points, hard-to-repair equipment, dependencies between systems.
This is reconnaissance data for infrastructure sabotage. And it's now available to anyone with $600,000 and an interest in American power grid vulnerabilities.
What You Can Do
For Utility Customers
There's no personal data to worry about here. This breach targets infrastructure, not individuals. But consider emergency preparedness: extended power outages are increasingly likely due to weather, cyber attacks, and infrastructure age. Have backup power options, food supplies, and communication plans.
For Critical Infrastructure Organizations
Audit your vendor ecosystem immediately. Who has access to sensitive engineering data? What are their security practices? Do they use MFA? How do they store credentials? Your security perimeter extends to every contractor with access to your systems.
For Engineering Firms
If you handle infrastructure data for utilities, you're a target. Implement credential monitoring services that detect when employee passwords appear in infostealer logs. Require hardware security keys for cloud access. Encrypt data at rest with keys your cloud provider can't access.
For Everyone
This breach illustrates why supply chain security matters. The critical infrastructure you depend on is only as secure as its weakest vendor. Advocate for regulations that require security standards throughout the supply chain, not just at the utility level.
The Bigger Picture
The American power grid is increasingly digital, and increasingly vulnerable. Utilities are adding smart meters, networked substations, and remote monitoring capabilities. Each new connection is a potential attack surface.
But the most dangerous vulnerabilities aren't technical. They're organizational. The grid depends on a network of vendors, contractors, and service providers that lack the security resources of the utilities themselves. Attack the weak link, compromise the chain.
This breach exposes exactly what happens when supply chain security fails. A Tampa engineering firm gets compromised, and suddenly detailed infrastructure data for power companies serving millions is available to anyone with cryptocurrency.
Duke Energy is investigating. The data is still for sale. The vulnerability is still open.
References
- Industrial Cyber - Pickett USA data breach exposes sensitive utility engineering data (January 2026)
- The Register - Engineering firm breach puts US utility data up for sale (January 2026)
- SC World - Hackers offer 139GB of critical infrastructure data for 6.5 Bitcoin (January 2026)
- Cyber Insider - Pickett breach traced to infostealer malware (January 2026)
- CISA - Understanding Critical Infrastructure Protection