American Water Works believes no water, wastewater facilities affected by cyberattack

None of the water or wastewater facilities run by the American Water Works company were affected by a cyberattack that began last week, according to a statement released on Monday.

The company, which supplies water to millions of Americans, filed documents with the Securities and Exchange Commission (SEC) on Monday notifying the public of the incident. On its website, company officials warned that the portal customers use to access their personal accounts and pay water bills is currently not available due to measures taken to contain the attack.

The company’s MyWater account system is currently down, according to a notice on the company website, and all appointments set up by customers will be rescheduled. Additionally, all billing has been paused until further notice as they try to bring systems back online — there will be no late charges or service shut offs while systems are down. 

The company’s call center is also down.

American Water Works provides drinking water, wastewater and other related services to an estimated 14 million people in 14 states as well as 18 military installations. From its regulated businesses, the company reported a net income of $971 million for 2023. 

In both the SEC filing and the notice on its website, the company said they discovered the attack on Thursday. 

Law enforcement was notified of the incident and the company hired cybersecurity experts to “assist with the containment and mitigation activities.”

“The Company has taken and will continue to take steps to protect its systems and data, including disconnecting or deactivating certain of its system,” the statement said.

American Water Works did not respond to requests for comment about whether they are dealing with a ransomware attack or if a ransom has been issued. 

The SEC filing says the company “currently believes that none of its water or wastewater facilities or operations have been negatively impacted by this incident.” They noted that they cannot “predict the full impact of this incident.”

On its website, American Water Works said they are attempting to protect customer data and prevent further harm by disconnecting and deactivating certain systems.

The attack on American Water Works has not been claimed by any ransomware gang or hacker group as of Monday afternoon. 

Federal regulators at the EPA and other agencies have repeatedly sought to improve the cybersecurity protections of companies across the water and wastewater industry. After regulatory efforts were successfully lobbied against and killed last year, concern was reignited when nation-state attackers from Iran targeted dozens of water utilities last November. 

The EPA said in May that in recent inspections, over 70%  of water systems examined do not fully comply with the Safe Drinking Water Act and some “have critical cybersecurity vulnerabilities, such as default passwords that have not been updated and single logins that can easily be compromised.”

Two weeks ago, the nation’s top cybersecurity agency warned that they continue to have to respond to “active exploitation of internet-accessible operational technology (OT) and industrial control systems (ICS) devices, including those in the Water and Wastewater Systems (WWS) Sector.”

That notice came after a water utility in Kansas had to resort to manual operations following a cyberattack.