Image Alliance | Image Alliance | Getty Images
American waterThe largest water utility in the United States revealed that it had been subjected to a cyber attack.
The Camden, New Jersey-based company said in a security statement on its website that it became aware of “unauthorized activity in our computer networks and systems” last Thursday, which it determined was “the result of a cybersecurity incident.”
The company said Tuesday that it has closed its customer service portal and, as a result, its billing function “until further notice” and will not charge any late fees or other fees related to billing as long as the system is down.
Some recent hacks of major US companies have taken major systems online and created chaos for consumers and businesses, such as the UnitedHealth hack that led to nationwide difficulty among patients needing prescriptions and healthcare professionals needing to pay for services.
Hacks targeting US water infrastructure, in particular, have increased, with some attacks linked to geopolitical rivals of the US, including Iran, Russia and China.
Taking over critical national infrastructure has become a top priority for foreign-linked cybercriminals. “All drinking water and wastewater systems are at risk — large and small, urban and rural,” an EPA spokesperson recently told CNBC.
American Water provides drinking water and wastewater services to more than 14 million people through regulated operations in 14 states and 18 military installations.
One recent Russian-linked hack last January was of a water filtration plant in the small Texas town of Moleshoe, which was located near a US Air Force base. “Water is among the least mature in terms of security,” Adam Ailes, head of Chertoff Group’s cybersecurity practice, told CNBC recently.
The FBI warned Congress in February that Chinese hackers had penetrated deep into U.S. cyber infrastructure in an attempt to cause damage, targeting water treatment plans, the electric grid, transportation systems and other critical infrastructure.
America Water said it is still in the early stage of the investigation and “currently believes” that no water or wastewater facilities or operations were affected and that the water remains safe to drink.
Third-party law enforcement and cybersecurity experts are now participating, the company said.
American Water did not immediately respond to a request for additional comment.
A growing cybercrime wave targeting key water infrastructure led the EPA to issue an enforcement alert warning that 70% of the water systems it inspected did not fully comply with Safe Drinking Water Act requirements. Without specifying a specific number, the EPA said some had “troubling cybersecurity vulnerabilities” — default passwords that had not been updated, weak single sign-on settings, and former employees who retained access to the systems.
American Water said it first became aware of the unauthorized computer access on October 3, and was then able to determine it was a cyberattack. She said the shutdown of customer systems was to protect data, although she added that it was too early to know if any customer information was at risk.
A spokesman for American Water declined to comment beyond the official security statement.