American Water, the largest regulated water utility in the U.S., has confirmed it was targeted in a cyberattack affecting millions of customers across 14 states.
The New Jersey-based company provides services to more than 14 million people across 14 states and 18 military installations, and the breach has temporarily disrupted certain systems, including customer billing and online services.
According to a regulatory filing and a security-related notice on the company’s website, American Water first detected the unauthorized activity on October 3.
The firm immediately took action to shut down specific systems to prevent further access and launched an investigation into the incident.
The company also notified law enforcement and is cooperating with federal authorities to identify the source of the breach.
“We are working diligently to bring the disconnected systems back online safely and securely,” the company stated in its notice.
American Water does not believe its water or wastewater systems were compromised and explained that drinking water remains safe.
While the company does not expect the attack to have a significant impact on its financial condition or operations, the breach has affected its customer services.
The company’s online customer portal, MyWater, was taken offline to safeguard sensitive data.
Additionally, American Water has paused billing activities to prevent potential risks to customer information, and late fees will not be applied while the portal remains down.
The company’s call center is currently operating with limited capacity as it works to restore systems.
The attack comes amid heightened warnings from federal agencies about the growing threat of cyberattacks targeting the water sector.
Earlier this year, the U.S. Environmental Protection Agency (EPA) issued an enforcement alert, highlighting an increase in cyber incidents against community water systems.
The EPA noted that such attacks could allow hackers to manipulate operational technology, potentially leading to dangerous disruptions in water treatment processes or alterations of chemical levels.
The EPA’s review revealed that over 70 percent of inspected water systems failed to meet basic cybersecurity standards, prompting the agency to step up enforcement actions to mitigate risks.
The Cybersecurity and Infrastructure Security Agency (CISA) has also urged critical infrastructure providers to improve their defenses, particularly against state-sponsored groups from Iran, Russia, and China.
In a statement, FBI Director Christopher Wray warned that the Chinese Communist Party has already infiltrated U.S. critical infrastructure and could launch “devastating” attacks on civilian services at any moment.
This attack on American Water, though not immediately catastrophic, underscores the urgency of bolstering cybersecurity measures to safeguard vital systems from malicious actors.