American Water Warns of Billing Outages After Finding Hackers in Its Systems

U.S. public utility giant American Water says it has disconnected some of its systems after discovering that hackers breached its internal networks last week. From a report: American Water, which supplies drinking water and wastewater services to more than 14 million people across the United States, confirmed the security incident in an 8-K regulatory filing with the U.S. Securities and Exchange Commission on Monday. The New Jersey-based company said in its filing that its water and wastewater facilities are "at this time" not affected and continue to operate without interruption, though the company noted that it's currently "unable to predict the full impact of this incident." American Water said it also notified law enforcement of the intrusion.

The company said it discovered "unauthorized activity" within its networks on October 3 and promptly moved to disconnect affected systems. In a statement on its website, American Water said it is "pausing billing until further notice." "In an effort to protect our customers' data and to prevent any further harm to our environment, we disconnected or deactivated certain systems," Ruben E. Rodriguez, a spokesperson for American Water, told TechCrunch in a statement. "There will be no late charges for customers while these systems are unavailable." Rodriguez declined to state which systems were unavailable and also declined to comment on the nature of the cybersecurity incident.

No bills going out, no pay for senior executives

[Bruce66423]

Security failures should HURT the residents of the C suite. It's the only way they will spend enough to prevent them in future...

Which Systems?

[chipperdog]

I'm not as concerned about breach of billing systems (other than loss of personal information), as those won't impact the delivery of potable water....but if they've compromised the operational technology systems (AMI, SCADA, process control, etc), that is a much bigger concern.

NOT an infrastructure attack

[cuda13579]

This is just a company billing system being attacked...it could be any company. They're trying to rile people up because it's a water company. There is no danger of peoples water being shut of.

Yes, yes....I realize that attacks on certain systems can be used to attack other systems. But, it's unlikely an accounting system is event tangentially connected to any of their SCADA systems....there's no need for it to be. The whole "meter reading" operation has no need to be attached to the treatment operation

Re:NOT an infrastructure attack

[sconeu]

I'm not so sure. Remember, the Target data breach came through the HVAC system.

Re:

[cuda13579]

I know what you're saying...but if it was Iran/China/North Korea scheming to cripple infrastructure, they wouldn't blow their cover by fiddling with a billing system.
There absolutely could be more to it...but, you know how these sites like to seize on attention grabbing headlines.

Re:

[mangastudent]

the Target data breach came through the HVAC system

Which would be the equivalent of these attackers compromising an operational control system and using a segregation failure to work their way into the billing system.

But unlike a retail store, water systems don't colocate operations and meters, the latter are at the extremes of the system, connected only by water pipes.

Who on earth

[nospam007]

..is afraid of billing outages?

Re:

[omnichad]

The people whose routing and account number was stored in that billing system.

Giants

[Slashythenkilly]

Love these corporate conglomerates that swallow up small companies then act surprised when they get caught not securing their information and infrastructure. Even if the government finds them at fault at charges them fees, consumers who had no choice but to use their services dont see a dime. Prices just go up.