American Water Works, the largest publicly regulated water and wastewater utility company in the United States, was hit by a significant cyberattack, leading to the shutdown of key systems. The attack, which took place on October 3, 2024, was disclosed in a regulatory filing with the U.S. Securities and Exchange Commission (SEC). While the breach did not disrupt water or wastewater services, it has raised concerns about the vulnerability of critical U.S. infrastructure to cyber threats.
Upon detecting unauthorized activity in its computer networks, American Water activated its incident response protocols, bringing in cybersecurity experts to investigate the extent of the breach and mitigate any potential damage. The company took immediate steps to disconnect or deactivate affected systems, including its customer portal and billing services. As a precaution, American Water assured customers that there would be no late fees while services were offline.
π¨πΊπΈ#BREAKING | UPDATE MASSIVE CYBER ATTACK ON AMERICAN WATER WORKS THAT SUPPLIES OVER 14 MILLION PEOPLE IN 14 STATES β οΈπ§
THEY PROVIDE DRINKING WATER AND WASTEWATER SERVICES TODAY HERE IS THE LIST βοΈ pic.twitter.com/oOmvGWRF2P
— Todd ParonπΊπΈπ¬π·π§π½ (@tparon) October 8, 2024
The nature of the attack is still under investigation, and it remains unclear whether ransomware was involved, a common feature in previous cyberattacks on critical infrastructure. A company spokesperson emphasized that, despite some systems being taken offline, water and wastewater operations continued as normal.
American Water provides essential services to over 14 million customers across 14 states and 18 military installations, making the attack especially concerning. The incident comes amid a surge in cyberattacks on critical U.S. infrastructure, with hackers increasingly targeting sectors like water, transportation, and energy. Earlier this year, a similar attack on a Kansas water treatment facility forced it to switch to manual operations.
Massive cyber attack in Iran π pic.twitter.com/ktPhy25a2k
— Aviva Klompas (@AvivaKlompas) October 11, 2024
Federal agencies, including the Environmental Protection Agency (EPA) and the Cybersecurity and Infrastructure Security Agency (CISA), have been sounding the alarm about the rising threats to the water sector. Both agencies recently issued updated cybersecurity guidelines for water utilities, stressing the need for better cyber defenses to prevent such incidents.
This attack is part of a broader trend of hackers, often state-sponsored, targeting U.S. infrastructure. Recent reports highlighted Chinese and Iranian cyber actors infiltrating American utilities, raising fears about the potential for more widespread disruptions in the future.
Although American Water has downplayed the financial impact of the breach, stating that the attack is not expected to significantly affect its operations or revenue, the event serves as a stark reminder of the growing cybersecurity challenges facing the nation's critical infrastructure. As cyberattacks become more sophisticated, U.S. utilities and other essential service providers are under increasing pressure to bolster their defenses.
For now, American Water is working with law enforcement and cybersecurity experts to determine the full scope of the incident. However, the company has yet to confirm the identity of the attackers or the precise method used to breach its systems. The investigation remains ongoing as the company takes further steps to secure its network and prevent future attacks.