American Water discloses breach, utilities unaffected

Public utility giant American Water Works Company Inc. disclosed a data breach Monday involving its IT systems.

The company disclosed the compromise via an 8-K filing with the U.S. Securities and Exchange Commission as well as an update to its website. According to the website disclosure, American Water on Oct. 3 learned of unauthorized activity within its systems that "has since been determined to be the result of a cybersecurity incident." Because its computer networks and systems were affected, the company said it proactively took its customer portal offline and has temporarily paused customer billing.

"In an effort to protect our customers' data and to prevent any further harm to our environment, we disconnected or deactivated certain systems," the website disclosure read.

American Water said it engaged law enforcement and third-party cybersecurity professionals as part of its incident response plan.

Regarding utility services and water quality, the company said, "We currently believe that none of its water or wastewater facilities or operations have been negatively impacted by this incident." Moreover, it added that customer water is safe to drink.

Attacks on critical infrastructure can create unique concerns compared with other categories of cyberattacks. However, utilities like drinking water generally have a number of fail-safes that make physically harmful cyberattacks exceedingly unlikely to occur.

In a FAQ entry about whether customer information was at risk, American Water said, "Our team is working around the clock to investigate this incident and safely restore our systems. Investigations of this nature take time, and we will provide more information when and as appropriate."

Similar information is available in the 8-K filing. Both the public disclosure and 8-K reference a decision by the company to disconnect or deactivate certain systems to prevent further damage. However, questions remain about the nature of the breach -- which American Water did not specify -- and whether ransomware could be involved.

TechTarget Editorial asked American Water whether the compromise involved ransomware, but a spokesperson declined to comment. Instead, they shared the following statement:

American Water recently experienced a cybersecurity incident of which it learned on Thursday, October 3, 2024. Upon learning of the issue, our team immediately activated our incident response protocols, and third-party cybersecurity experts to assist with containment, mitigation and an investigation into the nature and scope of the incident. We also contacted and are receiving assistance from law enforcement, and we are coordinating fully with them.

In an effort to protect our customers' data and to prevent any further harm to our environment, we disconnected or deactivated certain systems. There will be no late charges for customers while these systems are unavailable. Our dedicated team of professionals are working around the clock to investigate the nature and scope of the incident. As we continue to contain and remediate our environment, we will share updated information as appropriate on www.amwater.com. The Company currently believes that none of its water or wastewater facilities or operations have been negatively impacted by this incident.

Water and wastewater services have gained increased attention within the cybersecurity space this year as multiple entities have suffered attacks. Last month, an attack of limited scope reached the water supply system of Arkansas City, Kan. And in January, U.K. utility company Southern Water disclosed a cybersecurity incident it suffered at the hands of notorious ransomware gang Black Basta. That same month, CISA published an incident response guide warning of threats against the water and wastewater sector.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.