A cyberattack has struck American Water, disrupting billing systems yet safeguarding uninterrupted water services to millions.
At a Glance
- American Water’s billing systems were disrupted by a cyberattack, but water services remain unaffected.
- The company serves approximately 14 million people across 14 states and military installations.
- Immediate response included shutting down the MyWater account system and call center.
- American Water is working with law enforcement and cybersecurity experts to contain the breach.
Attack Overview
On October 3, American Water faced a cyberattack impacting its computer networks. This incident necessitated the shutdown of the MyWater account system, causing billing disruptions and rescheduled customer appointments. To prevent additional unauthorized access, certain systems were deactivated, and the call center was scaled down. Efforts to contain and mitigate the breach involved collaboration with cybersecurity professionals and law enforcement agencies. The company operates more than 500 water systems serving around 14 million people, spanning 14 states.
No water or wastewater facilities were harmed, ensuring uninterrupted service for customers. While no hacker group has claimed ownership of the attack, American Water’s proactive measures demonstrate their commitment to customer safety and data protection.
American Water stops billing for H2O due to 'cybersecurity incident' https://t.co/JGt3qEGan7
— The Cyber Security Hub™ (@TheCyberSecHub) October 7, 2024
Response and Consequences
American Water engaged law enforcement and cybersecurity experts “to assist with the containment and mitigation activities.” Measures taken include disconnecting or deactivating affected systems to protect data and restore operations efficiently. This attack reflects broader vulnerabilities within the water sector highlighted by recent cybersecurity warnings, prompting increased scrutiny by the EPA.
To reduce customer inconvenience, American Water announced that customers would not be charged late fees while systems are down. Filed reports to the SEC confirm thorough legal compliance in handling the breach. Despite these measures, some parts of the company’s website remain inaccessible, resulting in communication challenges during the incident.
Sector-wide Implications
This cyberattack underscores vulnerabilities in U.S. water systems, as identified by the EPA’s finding that over 70% of systems are non-compliant with cybersecurity requirements. Recent trends show increasing threats from state-sponsored actors targeting critical infrastructure. The White House and cybersecurity agencies emphasize the need for stricter regulatory measures and enhanced defensive capabilities across the sector.
With a $2.7 billion capital investment by American Water in 2023, and plans for $3.1 billion in 2024, the priority remains ensuring continuity and security of its services while addressing these emerging cyber threats effectively.
