Cyberattack Forces American Water to Disconnect Customer Portal

A major U.S.-based public utilities company, American Water, said it was impacted by a security incident on Oct. 3. American Water is the largest U.S. water and wastewater company, and provides water and wastewater to 14 million people across 14 states. After discovering the “unauthorized activity” on its networks and systems last week, the company disconnected and deactivated “certain systems.” This includes MyWater, which is American Water’s portal for customers to access and manage their accounts.

Key Details:

• American Water said “we currently believe that none of its water or wastewater facilities or operations have been negatively impacted by this incident.” The company said that water is safe to drink

• The company took its MyWater portal offline, and customer billing will be paused until further notice. American Water said there will be no late charges or services shut off while MyWater is unavailable

• As for the data impacted by the incident, American Water said it will provide more information about what information is at risk when it can

• The company also filed an 8-K filing with the SEC about the incident, which states that it “does not expect the incident will have a material effect on the Company, or its financial condition or results of operations”

The Incident’s Nature and Scope: American Water said that it is currently working to investigate the nature and scope of the incident - however, “this investigation is ongoing and will take time to complete,” according to the company in a statement. American Water did not publicly disclose who is behind the incident.

The Big Picture: This incident comes as the U.S. government continues to warn of cybersecurity threats to critical infrastructure entities, including U.S. water and wastewater systems. In a 2021 advisory about attacks targeting this sector, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed that wastewater treatment facilities had been hit three times in seven months by ransomware groups. Meanwhile, last year CISA warned that threat actors were targeting security weaknesses in a Unitronics device used in water treatment facilities. And this year, several water treatment facilities - like one in the City of Arkansas City - were targeted in cyberattacks as well. As we can see from these incidents, this is a lucrative sector for threat actors.

What’s Next? American Water is working with third-party security companies for containment, mitigation and an investigation, and has notified law enforcement as well. According to American Water: “We are working diligently to bring the disconnected systems back online safely and securely. Investigations of this nature take time, and we will share information when and as appropriate.”