American Water reported a cyberattack impacting its computer networks and pausing some services.
American Water Works Company, Inc., the largest regulated water and wastewater utility in the United States, has disclosed that it was the target of a cyberattack.
Stacy Mitchell, executive vice president and general counsel at American Water, wrote in the filing that the company discovered that unknown parties had unlawfully breached the company’s computer networks and systems, prompting the utility to shut down some of its systems, launch an investigation, and contact law enforcement.
Mitchell said that American Water does not believe that the cyberattack negatively impacted any of its wastewater or drinking water systems.
“Although the Company is currently unable to predict the full impact of this incident, the Company does not expect the incident will have a material effect on the Company, or its financial condition or results of operations,” Mitchell wrote in the filing.
The utility’s online customer portal, MyWater, has been temporarily taken offline to protect sensitive data, according to a security-related notice issued by the company. Customers will not incur late fees or face service disruptions while the portal remains down, and the company’s call center is operating with limited functionality. Drinking water remains safe to drink.
Related Stories
“We are working diligently to bring the disconnected systems back online safely and securely,” the notice reads. “Investigations of this nature take time, and we will share information when and as appropriate.”
The attack against American Water happened amid heightened cybersecurity concerns in the water sector.
According to the EPA’s alert, a recent review revealed that over 70 percent of inspected water systems violated basic cybersecurity requirements under the Safe Drinking Water Act’s Section 1433, which mandates risk and resilience assessments and emergency response plans. Citing vulnerabilities like unchanged default passwords and inadequate system access controls, the EPA said it had increased its enforcement actions to ensure compliance and mitigate cyber risks.
“These malicious cyber actors have disrupted some water systems with cyberattacks and may have embedded the capability to disable them in the future,” EPA warned in its alert, which was updated on June 6.
Wray made the remarks in a speech at Vanderbilt University in Nashville, Tennessee, saying that the threats posed by China-sponsored hackers are no longer a future matter but are “upon us now.”
“Its plan is to land low blows against civilian infrastructure to try to induce panic,” Wray said, adding that China’s hacking program is larger than every other major nation combined, and that the regime is developing the ability to physically attack critical U.S. infrastructure at a time of its choosing.