American Water Works cyberattack forces company to pause billing


American Water Works, the nation's largest water and wastewater utility, confirms to Cybernews it has been forced to shut down its customer billing portal on Monday after a cyberattack hit the services company last week.

The utility company, which is responsible for “providing safe, clean, reliable, and affordable drinking water and wastewater services to more than 14 million people across 24 states,” filed an 8K breach notice with the US Securities and Exchange Commission on Monday.

Headquartered in New Jersey, the public utility company said it had first learned of the “unauthorized activity within its computer networks and systems” on October 3rd.

ADVERTISEMENT

In a statement sent to Cybernews, an American Water Works spokesperson said the company “currently believes that none of its water or wastewater facilities or operations have been negatively impacted by this incident.”

Still, to contain the damage to its IT environment, the spokesperson said American Water was forced to “disconnect or deactivate certain systems,” as part of its incident response protocols.

American Water Works SEC filing
American Water Works filed an 8K breach notice with the US Securities and Exchange Commission dated October 7ht, 2024. Image by Cybernews.

While it is further investigating the “cybersecurity incident” with law enforcement and third-party experts, the company also posted an update to customers on its website Monday.

To protect customers’ data, American Water said it has proactively taken the MyWater customer service portal offline, “which means we are pausing billing until further notice.”

Additionally, the company said its call center will have “limited functionality” while the portal is down, adding that it was “working diligently to bring our systems back online safely and securely.”

The website also noted that while “MyWater remains unavailable, there will be no late charges or services shut-offs.”

“Our dedicated team of professionals are working around the clock to investigate the nature and scope of the incident,” the spokesperson said.

ADVERTISEMENT

It’s not clear if any customer or employee data was compromised in the attack.

American Water Works website update
amwater.com. Image by Cybernews.

American Water Works serves roughly 1700 communities in the US, including 18 military installations, and employs more than 6,500 workers.

The company says it serves both residential homes and businesses through regulated subsidiaries, also performing contract operations for military bases and municipalities that own their utility systems.

Dating back to 1886, the largest regulated water and wastewater utility company in the US said it takes “the cybersecurity of our systems with utmost seriousness and is taking additional steps to strengthen the cybersecurity of American Water’s systems.”

“Our customers and the data we maintain remain our highest priorities,” it said.

"As we continue to contain and remediate our environment, we will share updated information as appropriate on the American Water website," the spokesperson added.

Last December, Iranian hackers were able to compromise two separate water treatment facilities in Pennsylvania, and in August the FBI released a joint advisory warning that Iranian state-sponsored hackers were assisting ransomware groups to specifically target US critical infrastructure and government agencies.

ADVERTISEMENT