Construction Firms Lost $5.2 Billion to Cyberattacks in One Year. The Problem Was Never the Security Stack.

54% of construction leaders name data protection as their top AI fear. The solution is governance.

Strategy
Construction site at dusk with digital data streams overlaid on steel framing

Construction firms lost more than $5.2 billion to cyberattacks in 2022 alone. NCC Group's 2024 Annual Cyber Threat Monitor found the Industrials sector, which includes construction, experienced 27 percent of all global cyberattacks that year — a 15 percent increase from 2023.

These attacks are not abstract risk events. Four named firms tell the story.

Bouygues Construction was hit by a Maze cyberattack in January 2020. 237 computers encrypted. More than 1,000 terabytes of data frozen. Attackers published employee names, home addresses, phone numbers, social insurance numbers, banking details, and drug test results online. Ransom demand: 10 million euros. Bird Construction was hit a month earlier: 60 gigabytes of data frozen, $9 million CAD ransom demand. Skender Construction, a Chicago-based general contractor, was hit in March 2023: 1,067 individuals affected, personal information potentially accessed. Turner Construction has been hit twice — once by spear phishing that sent employee W-2 data to a fraudulent account, and once by a Ryuk attack that forced systems offline.

Construction firms hold uniquely valuable data and have historically underinvested in data security. The real question is why recovery was so costly and so slow. The answer is governance.

The data you hold matters more than you think

Your bid pricing database contains years of proprietary cost data. Your subcontractor financial qualifications contain bonding history, credit information, and firm financials. Your BIM models contain structural, mechanical, and systems data that took significant fees and labor to produce. Your project schedules contain critical path logic that competitors would pay to understand before a bid.

All of it lives in Procore, Primavera, Autodesk Docs, Vista, and BIM 360. Most of it is accessible to most of your team, because nobody defined access levels when the tools were adopted. When an attack hits a firm in that state, everything freezes. Recovery is slow because nobody knows which systems are essential, which data is authoritative, or who owns what.

54 percent of construction firms cite data protection as their gravest concern about AI adoption, per Dentons' Global AI Survey. Yet formal data governance structures remain rare. The majority of standard AI vendor contracts claim data usage rights beyond service delivery — meaning the tools your estimating team uses to speed takeoffs may be feeding your historical bid pricing and subcontractor financials into models that benefit competitors.

"

Before any AI tool enters your firm, someone on your leadership team needs to be able to say: here is what the AI can see, here is what it can recommend, and here is what only a human approves. If you cannot say that today, the tool is not your first problem.

Four decisions before any vendor conversation

Which data types require what access level. Bid pricing and subcontractor financials should not be accessible to the same tools and roles as project scheduling. Define tiers now — before the tools arrive.

Which workflows AI can act on autonomously versus recommend only. Some decisions AI can make without review: formatting, data aggregation, routine reporting. Others require human approval: anything touching financial data, personnel records, or client deliverables.

Which vendor contract terms are non-negotiable. Before any AI vendor conversation, define your data usage boundaries: no training on proprietary data, no benchmarking against your cost history, data deletion rights on contract termination. These terms are negotiable before signing and nearly impossible to enforce after.

Who on your leadership team owns data governance decisions going forward. This belongs to a COO or VP of Operations — someone with authority over operational workflows and vendor relationships.

These decisions do not start with a vendor demo. They start with questions. Here are the ones we hear most often.

Our Discovery engagement exists for exactly this moment. Six weeks to build the governance framework, define the decision rights, and produce the Workflow Map before any vendor touches your data. The output is a framework your leadership team agrees on and a set of vendor contract requirements your legal team can enforce.

Humanity for what matters. AI for everything else.

Questions worth asking
Why is construction one of the top cyberattack targets globally?
NCC Group's 2024 Annual Cyber Threat Monitor found the Industrials sector, which includes construction, experienced 27% of all global cyberattacks that year, a 15% increase from 2023. Construction firms are attractive targets because they hold uniquely valuable data: bid pricing databases, subcontractor financials, BIM models, and project schedules. That data has competitive and financial value well beyond the ransom demand itself.
What data types in a construction firm carry the highest AI security risk?
Bid pricing and historical cost databases are the highest-value target because they represent years of competitive intelligence. AI vendors who gain access to this data through broad contract rights can use it to train models that benefit competitors. After bid data, subcontractor financial qualifications, employee safety records, and BIM models carry significant exposure. BIM files can be manipulated during an attack — attackers have altered structural data in-file without firms detecting the change until construction was underway.
What should I look for in an AI vendor contract around data rights?
Look for any clause that permits the vendor to use your data for model training, benchmarking, product improvement, or any purpose beyond delivering the contracted service. Browne Jacobson's 2026 legal analysis found the majority of standard AI vendor contracts claim data usage rights beyond what is necessary for service delivery. For construction firms, this means bid pricing, cost history, and subcontractor financials may be used in ways that benefit competitors. Have your legal counsel review and redline any clause that grants rights beyond direct service delivery before signing.
What does data governance mean for a construction firm deploying AI?
Data governance means defining, before any AI tool is deployed, four things: which data types require what access level, which workflows AI can act on autonomously versus recommend only, which vendor contract terms are non-negotiable, and who on the leadership team owns data governance decisions going forward. It is a leadership conversation that produces clear decision rights — and those decision rights are what make recovery possible when something goes wrong.
What is NIST AI RMF and does my construction firm need to follow it?
NIST AI Risk Management Framework (AI RMF 1.0) is a voluntary framework with four functions: Govern, Map, Measure, and Manage. No federal regulation currently mandates it for private construction firms, but it is increasingly referenced in owner contracts and public procurement requirements. The Govern function is the one most relevant before AI deployment: it covers establishing roles, responsibilities, and policies for AI risk — exactly what data governance requires.
What does a cyberattack actually cost a mid-size construction firm?
Direct ransom demands in documented construction attacks range from $9 million CAD (Bird Construction) to 10 million euros (Bouygues Construction). But the ransom is rarely the largest cost. Operational downtime during an active bid cycle, forensic investigation, CCPA notification obligations (which apply to any for-profit firm with over $26.6M in revenue), and reconstruction of corrupted data typically exceed the ransom itself. IBM's 2025 Cost of a Data Breach Report puts the average total breach cost across industries at $4.88 million — and construction firms, operating on thin margins, absorb that cost differently than higher-margin businesses.