U.S. public utility giant American Water says it has disconnected some of its systems after discovering that hackers breached its internal networks last week.
American Water, which supplies drinking water and wastewater services to more than 14 million people across the United States, confirmed the security incident in an 8-K regulatory filing with the U.S. Securities and Exchange Commission on Monday.
The New Jersey-based company said in its filing that its water and wastewater facilities are “at this time” not affected and continue to operate without interruption, though the company noted that it’s currently “unable to predict the full impact of this incident.” American Water said it also notified law enforcement of the intrusion.
The company said it discovered “unauthorized activity” within its networks on October 3 and promptly moved to disconnect affected systems. In a statement on its website, American Water said it is “pausing billing until further notice.”
“In an effort to protect our customers’ data and to prevent any further harm to our environment, we disconnected or deactivated certain systems,” Ruben Rodriguez, a spokesperson for American Water, told TechCrunch in a statement. “There will be no late charges for customers while these systems are unavailable.”
Rodriguez declined to state which systems were unavailable and also declined to comment on the nature of the cybersecurity incident.
“Our dedicated team of professionals are working around the clock to investigate the nature and scope of the incident,” Rodriguez said.
The ongoing incident at American Water comes amid growing warnings from the U.S. government that state-backed hackers are increasingly targeting American water infrastructure.
In February, a coalition of U.S. intelligence agencies, including the National Security Agency, U.S. cybersecurity agency CISA, and the FBI warned that a group of state-sponsored hackers based in China had compromised multiple critical infrastructure systems, including water and wastewater systems, in the United States.
The group, known as “Volt Typhoon,” burrowed into networks by exploiting vulnerabilities in routers, firewalls, and VPNs, the agencies warned. In some cases, the China-backed hackers have maintained access to these networks for “at least five years,” with the aim of disrupting operational technology in the event of a major conflict or crisis between the United States and China.
This warning came after U.S. cybersecurity officials said in late 2023 that an Iranian-linked hacking group was “actively targeting and compromising” multiple U.S. water and wastewater systems facilities that rely on a particular Israeli-made computer system.