The Cannon Corporation dba CannonDesign is sending notices of a data breach to more than 13,000 of its clients, informing that hackers breached and stole data from its network in an attack in early 2023.

CannonDesign is a multi-awarded architectural, engineering, and consulting firm based in the United States, recognized for its work on high-profile projects such as academic buildings, hospitals, and sports arenas.

The company, ranked one of the most innovative innovative architecture firms in the world, has been involved in major projects like the University of Minnesota Health Clinics and Surgery Center, and the multi-purpose stadium at the University of Maryland.

The notification letter that CannonDesign started sending to impacted individuals informs of a security incident that occurred between January 19-25, 2023, which involved unauthorized network access and data exfiltration.

Although the firm discovered the intrusion on January 25, 2023, the investigation into the incident was only completed on May 3, 2024, and it took them another three months.

The investigation revealed that the threat actor behind the attack might have accessed names, addresses, social security numbers (SSNs), and driver’s license numbers.

Notification recipients are offered 24-month credit monitoring through Experian to mitigate the risk that stems from their personal data exposure, though it should be noted that this comes with a significant delay.

Avos Locker attack

Even though Cannon Design has not named the cybercriminals responsible for the attack, a spokesperson confirmed to BleepingComputer that the disclosure relates to the Avos Locker ransomware attack that occured early in 2023.

Also, the firm states that it is not aware of any attempted misuse of the stolen information, although the data has been published online multiple times and on various sites.

On February 2, 2023, the Avos Locker ransomware gang announced a breach on CannonDesign, claiming to hold 5.7 TB of stolen data, including corporate and client files.

After the threat actor’s presumably failed to extort the architectural firm, the baton was passed to Dunghill Leaks, which published 2TB of data stolen from CannonDesign on September 26, 2023.

The data allegedly included database dumps, project schematics, hiring documents, client details, marketing material, IT and infrastructure details, and quality assurance reports.

Dunghill Leaks is a data leak site launched by the Dark Angels ransomware group in April 2023 and used to pressure victims into paying the ransomware demand.

In February 2024, the same dataset was published on hacker forums in the dark web, including ClubHydra, while one part of the dataset was shared via torrent on Breached Forums in July 2024.

BleepingComputer has contacted CannonDesign to confirm that the disclosed data breach is linked to the same dataset that has been circulated online for over a year now, but a comment wasn’t immediately available.