Pierluigi Paganini October 08, 2024

American Water, the largest publicly traded water and wastewater utility company in the US, shut down some of its systems following a cyberattack.

American Water, the largest U.S. water and wastewater utility company, shut down some systems following a cyberattack.

American Water is an American public utility company that, through its subsidiaries, provides water and wastewater services in the United States. Its regulated operations provide water and wastewater services to approximately 1,700 communities in 14 states, serving a population of approximately 14 million. The company has 3.4 million customers which includes residential, commercial, fire service and private fire, industrial, government facilities, and other water and wastewater utilities.

On October 3, 2024, the company discovered unauthorized access to its computer networks. As part of the incident response procedure, the company disconnected and deactivated certain systems.

“On October 3, 2024, American Water Works Company, Inc. (the “Company”) learned of unauthorized activity within its computer networks and systems, which the Company determined to be the result of a cybersecurity incident. Upon learning of this activity, the Company immediately activated its incident response protocols and third-party cybersecurity experts to assist with containment and mitigation activities and to investigate the nature and scope of the incident.” reads the Form 8-K filed with SEC. “The Company also promptly notified law enforcement and is coordinating fully with them. The Company has taken and will continue to take steps to protect its systems and data, including disconnecting or deactivating certain of its systems.”

According to the company, its water and wastewater facilities and operations remain unaffected by the incident.

American Water estimates minimal financial impact from the security incident, though the full impact is still uncertain.

The company notified law enforcement about the attack and is investigating the security breach with the help of cybersecurity experts

The company did not share technical details on the security breach, however, the incident response procedure adopted suggests it was the victim of a ransomware attack.

Recently, Arkansas City was forced to switch its water treatment facility to manual operations due to a cyberattack.

In the past, we observed multiple attacks against water facilities; in January the Black Basta ransomware gang claimed to have hacked the UK water utility Southern Water, a major player in the UK water industry.

In December 2023, threat actors launched a cyberattack on an Irish water utility causing the interruption of the power supply for two days.

In November 2023, the Daixin Team group claimed to have hacked the North Texas Municipal Water District (US) and threatened to leak the stolen data.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, critical infrastructure)