CEDAR RAPIDS, Iowa — American Water, the largest water and wastewater utility in the U.S., is recovering from a cyberattack that has disabled its customer service portal and billing systems.
The attack leaves more than 14 million customers across 14 states, 200,000 of them in Iowa, unable to access their accounts or make payments. The attack has heightened concerns about vulnerabilities across critical infrastructure across the U.S., which relies on secure systems to maintain essential services.
“They’ve been experiencing an incident since Oct. 3rd, and they are still down,” said ProCircular cybersecurity expert Brandon Blankenship. “Their customer service portal’s still down, and they’re unable to bill their clients as of right now.”
According to a statement provided to Iowa’s News Now, American Water immediately deactivated several systems to protect customer data and prevent further damage.
“We proactively took our customer portal service, MyWater, offline, which means we are pausing billing until further notice,” the company said. American Water has also assured customers that no late fees will be charged during this downtime.
While the company has not disclosed many details about the breach, Blankenship said that this level of caution is typical in the early stages of an investigation. “As of right now, the external information about it is scarce,” Blankenship said. “They’re playing their cards pretty close to their chest, as I would, if I were in their shoes.”
Blankenship said that the larger concern here is the disruption to services, rather than a large-scale data leak. “The larger issue is downtime, not necessarily the sensitive data,” he said. “They provide a service that other people need, so they are very sensitive to downtime.”
The attack has drawn comparisons to the Colonial Pipeline ransomware incident three years ago, which led to fuel shortages across the eastern U.S. and exposed significant vulnerabilities in critical infrastructure nationwide.
In the case of American Water, Blankenship said the attack appears to be a bold one, unprecedented since that 2021 attack on Colonial Pipeline.
“After the Colonial Pipeline attack, President Biden said that attacks on critical infrastructure are considered capital-T terrorism, so ransomware gangs have not been attacking them usually,” he said. “Critical infrastructure is usually a worry from being attacked by nation-states.”
The company has filed a report with the U.S. Securities and Exchange Commission (SEC), as required for publicly traded companies facing cyber incidents, and continues to work with law enforcement and cybersecurity experts.
According to American Water, its core water and wastewater operations remain unaffected, and the company is working “diligently” to restore customer services.
For now, the full extent of the breach and whether any personal data was compromised or the company will pay the hackers a ransom remains unclear, with further details likely to emerge as the investigation progresses.