Picture Alliance | Picture Alliance | Getty Images
American Water, the largest water utility in the U.S., disclosed that it had been hit by a cyberattack.
The Camden, New Jersey-based company said in a security statement on its website that it had learned of “unauthorized activity in our computer networks and systems” last Thursday, which it determined “to be the result of a cybersecurity incident.”
The company said on Tuesday that it shut down its customer service portal, and as a result, its billing function “until further notice” and will not charge any late fees or other fees related to billing as long as the system is down.
Some recent hacks of major U.S. companies have brought key online systems to a halt and created chaos for consumers and businesses, such as the hack of UnitedHealth which led to nationwide difficulty among patients needs prescriptions filled and health-care professionals needing to be paid for services.
Hacks targeting U.S. water infrastructure, in particular, have been increasing, with some of the attacks linked to geopolitical rivals of the U.S., including Iran, Russia and China.
Taking out critical national infrastructure has become a top priority for foreign-linked cybercriminals. “All drinking water and wastewater systems are at risk — large and small, urban and rural,” an EPA spokesman recently told CNBC.
American Water provides drinking water and wastewater services to more than 14 million people with regulated operations in 14 states and on 18 military installations.
One recent Russian-linked hack in January of a water filtration plant in a small Texas town, Muleshoe was located near a U.S. Air Force base. “Water is among the least mature in terms of security,” Adam Isles, head of cybersecurity practice for Chertoff Group, recently told CNBC.
The FBI warned Congress in February that Chinese hackers had penetrated deeply into United States’ cyber infrastructure in an attempt to cause damage, targeting water treatment plans, the electrical grid, transportation systems and other critical infrastructure.
America Water said it remains early in the investigation and “currently believes” that no water or wastewater facilities or operations have been impacted and water remains safe to drink.
Law enforcement and third-party cybersecurity experts are now involved, the company said.
American Water did not immediately respond to a request for additional comment.
The rising cybercrime wave targeting key water infrastructure led the Environmental Protection Agency to issue an enforcement alert warning that 70% of water systems it inspected do not fully comply with requirements in the Safe Drinking Water Act. Without quantifying an exact number, the EPA said some have “alarming cybersecurity vulnerabilities” — default passwords that have not been updated, vulnerable single login setups and former employees who retained systems access.
American Water said it first learned of the unauthorized computer access on October 3, and was subsequently able to determine it was a cyberattack. It said turning off customer systems was intended to protect data, though it added that it is too soon to know whether any customer information is at risk.
An American Water spokesman declined to comment beyond the official security statement.