Ransomware victim disclosure
← All victimsMorris Group International
Claimed by ORION · listed 4 days ago
Status timeline
- Listed
May 17, 2026
- Data leaked
At a glance
- Group
- ORION
- Status
- Data leaked
- Country
- US
- Sector
- Manufacturing
- Listed on leak site
- May 17, 2026
- Data size
- 0.5TB
About the victim
AI dossier — public-source company profileMorris Group International (MGI) is a family-owned US manufacturer headquartered in City of Industry, California, comprising 28 divisions and partnerships across 27 locations worldwide. The company designs, manufactures, and distributes engineered plumbing and drainage products, stainless steel fixtures, vacuum plumbing systems, drinking fountains, electric water heaters, and fire protection products, with over 2,000 employees and more than 2.5 million square feet of manufacturing, office, and warehouse space. Key subsidiaries include Acorn Engineering Company, Jay R. Smith Mfg. Co., AcornVac, Elmdor, and FirePro.
- Industry
- Engineered Plumbing, Drainage & Building Products Manufacturing
- Address
- City of Industry, CA (headquarters at Acorn Engineering Company facility)
- Employees
- 2000
- Founded
- 1954
Attack summary
Severity: high — 0.5 TB of confirmed exfiltrated and published data includes proprietary intellectual property (patents, chemical formulations, product designs), commercial contracts, and partner/client records, representing significant business and competitive harm across a 2,000+ employee multi-division manufacturer; no regulated PII at scale is explicitly stated, precluding critical.The ORION ransomware group claims to have exfiltrated approximately 0.5 TB of data from Morris Group International and has published the data following unmet ransom conditions. The alleged stolen data includes partner and client records, commercial contracts, product sketches, chemical properties of products, and patent documentation.
Data the group says was taken
AI dossier — extracted from the leak post- Partner records
- Client records
- Commercial contracts
- Product sketches/design drawings
- Chemical properties of products
- Patent documentation
- Subsidiary company data (AcornVac, Elmdor, Murdok, FirePro, Smith)
What the group claims
Morris Group International includes 28 divisions and partnerships and 27 locations worldwide. Manufactures stainless steel toilets, engineered plumbing and drainage products, vacuum plumbing systems, drinking fountains, and electric water heaters. Has 2,000+ employees and over 2.5 million square feet of manufacturing, office, and warehouse space. Subsidiaries include AcornVac, ELMDOR, murdok, firepro, Smith.
The leak post
captured from the group's siteThis link was hidden until the publication conditions were met morrisgroupint.com Morris Group International includes 28 divisions and partnerships and 27 locations worldwide. From stainless steel toilets, engineered plumbing and drainage products, and vacuum plumbing systems to drinking fountains and electric water heaters, our products come out of our manufacturing facilities in North America ready to meet the needs of any construction or building project. Because we research, design, and manufacture our own products, customers have the benefit of going to one supplier to get the job done with choices that meet ADA requirements, environmental concerns, and the highest standards for safety and design. With over 75 patents and thousands of products, Morris Group International has 2,000+ employees and over 2.5 million square feet of manufacturing, office, and warehouse space. 0.5TB date sensitive. Partners, clients, commercial contracts, sketches, chemical properties of products, patents, etc. Also subsidiaries: AcornVac / ELMDOR / murdok / firepro/ Smith/ Stay informed about the latest data breaches and cybersecurity incidents affecting organizations worldwide.
Data the group says was taken
- partner information
- client information
- commercial contracts
- sketches
- chemical properties of products
- patents
Screenshot of the leak post
Sources
Source
Indexed 4 days agoThis page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.