mcalvain cactus ransomware

McAlvain Companies, an Idaho-based large construction firm, on April 4, 2024 confirmed (PDF) a data breach that leaked confidential human resources info including employee Social Security numbers, names, addresses, and dates of birth.

The notification letter sent to affected individuals reads, “MCI recently experienced a data security incident in which an unauthorized third party compromised MCI’s computer system. We immediately activated our incident response plan, engaged additional third-party experts, and commenced an investigation.”

Ransomware group Cactus claimed the attack last month. McAlvain has not stated how many people were affected, how attackers infiltrated its systems, or whether a ransom was demanded. McAlvain has 250 employees, according to its website.

Comparitech contacted McAlvain Companies for comment and will update this article if it responds.

Although McAlvain says it has no evidence that the data has been misused, affected employees should still take precautions. Take advantage of the free credit monitoring offered by McAlvain through Cyberscout. Monitor your credit reports and bank statements for suspicious activity.

Who is Cactus?

Cactus ransomware first surfaced in March 2023. According to our data, it’s responsible for 18 confirmed attacks so far, including a January attack on Schneider Electric that saw it steal terabytes of corporate data.

Cactus employs double extortion against targets, forcing them to pay two ransoms: once to decrypt their systems, and again to not sell or publicly release stolen data. Its initial attacks include vulnerability exploits, phishing, and using stolen login credentials purchased on the dark web.

About McAlvain Companies

Founded in 1980, McAlvain is a large-scale construction firm based in Boise, Idaho. According to its website, its revenue exceeds $2 billion per year. It specializes in construction management, general contracting, design build, and concrete services throughout the western United States.