Cyberattack on American Water Shuts Down Customer Portal, Halts Billing

American Water faces a cyberattack, disrupting its customer portal and billing operations. The company assures that water services remain unaffected while cybersecurity experts manage the incident.

American Water has become the latest target of a cyberattack affecting its computer networks and systems, which the company has described as a “cybersecurity incident.”

For your information, American Water is the largest publicly traded water and wastewater utility company in the United States, providing services to millions of customers, and it is based in Camden, New Jersey.

The issue was first detected on October 3, 2024, initiating immediate action by the company to protect customer data and its online and physical infrastructure. American Water has also temporarily taken its customer portal, MyWater, offline, putting a halt to billing operations until further notice.

Although the nature of the cyberattack—whether a data breach or ransomware attack—remains unknown, American Water’s security advisory states that the company has mobilized a team of cybersecurity professionals and internal experts who are working around the clock to manage the situation.

Customers have been reassured that water and wastewater services remain unaffected by the cybersecurity incident. The company confirms that the safety and quality of the water supply continue to meet all standards, with no disruptions anticipated.

To further address billing and service interruption concerns, American Water has announced that there will be no late fees or service shutoffs while the MyWater portal remains offline. Similarly, the company’s call center is operating with limited functionality, focusing on providing support and information to customers during this time.

The latest news comes just a day after The Wall Street Journal revealed that the Chinese government-backed Salt Typhoon APT group hacked AT&T, Verizon, and Lumen Technologies, compromising wiretap systems used in criminal investigations.

Tim Erlin, a Security Strategist at Wallarm, weighed in on the situation, highlighting the broader implications for critical infrastructure. “Critical infrastructure isn’t immune from digital transformation, including reliance on APIs and applications,” Erlin noted. He referenced past incidents, such as the 2021 breach in Oldsmar, Florida, and a recent event in Kansas, emphasizing the ongoing challenges in securing water treatment facilities against cyber threats.

Erlin’s insights also align with recent findings from the cybersecurity firm Censys, which indicate that thousands of Industrial Control Systems (ICS) in the United States and the United Kingdom are vulnerable to cyberattacks, putting critical infrastructure such as water systems at risk.

1. DoJ charges man for hacking, tempering with public water facility
2. Cyberattack Defaces Israeli-Made Equipment at US Water Agency
3. Technician Indicted for Hacking California Water Treatment Facility
4. CISA – Ransomware targeted SCADA systems of 3 US water facilities
5. Dutch Man Deployed Stuxnet via Water Pump to Disable Iran’s Nukes