American Water, the largest water utility in the U.S., recently disclosed a cyberattack on its systems. The Camden, New Jersey-based company revealed in a security statement that it discovered "unauthorized activity" in its computer networks on October 3, confirming it as a cybersecurity incident. As a precaution, American Water shut down its customer service portal, including its billing functions, until further notice. Customers will not incur late or other billing-related fees during this downtime.
Cyberattacks on U.S. infrastructure have been on the rise, with utilities such as water systems becoming frequent targets. Attacks have been linked to geopolitical adversaries like Iran, Russia, and China, with the FBI warning earlier this year that Chinese hackers have penetrated U.S. critical infrastructure, including water treatment plants and electrical grids.
American Water, which provides water and wastewater services to over 14 million people across 14 states and 18 military installations, emphasized that, despite the breach, its water facilities and operations have not been affected and drinking water remains safe.
Law enforcement and third-party cybersecurity experts are investigating the attack. The company has yet to confirm if customer data has been compromised, stating it is still early in the investigation.
The growing threat to water infrastructure has prompted warnings from the Environmental Protection Agency (EPA), which found that 70% of inspected water systems failed to meet cybersecurity standards required by the Safe Drinking Water Act. Many water systems have "alarming vulnerabilities," including default passwords, outdated login setups, and inadequate access controls for former employees.
American Water’s quick response, including disabling customer systems to protect data, highlights the increasing need for stronger cybersecurity measures across critical infrastructure sectors. The company continues to work with experts to assess the full impact of the breach.