Key Takeaways
1. American Water Works detected unauthorized network access on October 3, 2024.
2. The customer portal and billing services were shut down to protect data; water systems were unaffected.
3. Personal and financial data may have been exposed, increasing identity theft and fraud risks.Â
4. Response protocols were activated promptly, involving cybersecurity experts and law enforcement.
5. The incident underscores the need for monitoring, strong response plans, and expert support.
6. I.S. Partners creates tailored security solutions with the guidance of expert auditors. Establish security solutions through frameworks such as NIST and SOC 2.
Overview of the American Water Works Cyberattack
American Water Works Company is one of the largest publicly traded water and wastewater utility companies in the U.S. It provides essential drinking water and wastewater services to around 14 million people across 14 states and 18 military bases.
On October 3, 2024, the Camden, New Jersey-based company detected unauthorized access within its computer networks—signs of a cybersecurity incident. The breach prompted the company to activate its incident response protocols.Â
The company immediately contacted third-party cybersecurity auditors to assess and contain the attack while law enforcement became involved in investigations. As a precaution, it shut down its customer portal and billing services—disconnecting certain systems to limit damage.
The company has not revealed the methods or motives behind the incident. As of October 11, 2024, American Water Works has confirmed that no impact reached its water systems and wastewater facilities or compromised service quality.
Timeline of the American Water Works Cyberattack
The American Water Works cyberattack on October 3, 2024, exposed vulnerabilities in a critical utility’s network, potentially compromising personal and financial data. This timeline outlines the key events and responses following the breach, highlighting lessons in cybersecurity preparedness and response.
Here’s a timeline of the cyberattack:Â
- October 3, 2024—American Water Works notices unauthorized access and identifies it as a cybersecurity issue. It takes all billing services offline and states on its website that customers will not have to pay late charges.
- October 3–4, 2024—The company immediately activates its incident response protocols and brings in third-party cybersecurity experts to help with containment and mitigation activities, as well as to investigate the scope of the attack.Â
- October 4–6, 2024—Cybersecurity teams work with American Water Works to analyze the breach in detail. They identify possible entry points or vulnerabilities that allow unauthorized access, begin mapping any compromised systems, and develop action plans to restore affected systems without risking further breaches.Â
- October 7, 2024—The company files an 8-K filing report with the U.S. Securities and Exchange Commission (SEC) and discloses the attack to the public.Â
- October 11, 2024—The customer portal and billing services reopen, and regular operations resume. Â
The breach investigation continues, but the company claims there has been no significant damage to its finances or operations.
What Risks Does the American Water Works Cyberattack Pose to Customers?
The cyberattack on American Water Works presents several risks to customers, particularly regarding their personal data. Although the company has not confirmed the full scope of the breach, the types of sensitive information that may have been compromised include personally identifiable information and financial data.
If these types of data were accessed, the company’s customers could be exposed to the following cyber threats:
- Identity theft. Exposed personal information can make customers prime targets for identity theft. Cybercriminals could use leaked data to open new accounts, secure loans, or commit other acts of fraud under false identities.
- Unauthorized transactions. With access to financial data, attackers could conduct fraudulent transactions, redirect payments, or initiate unauthorized withdrawals, leaving customers with financial losses.
- Privacy violations. Breached information may end up on dark web marketplaces, where it could be sold and misused for scams, phishing schemes, or further attacks.
- Health claims fraud. Hackers could misuse personal information for fraudulent health claims or unauthorized access to related services.
Although American Water Works has taken steps to address the breach, customers should monitor their financial and personal accounts for any unusual activity.
Similar Notable Cyberattacks on Utilities and Infrastructure
Water utilities are adopting digital tools like application programming interfaces (APIs) and web applications, which have opened up new doors for cyberattacks. Here are some similar attacks that have happened in the past:Â
Name | Date | Details | Consequences |
Arkansas City Water Treatment Facility | September 2024 | Temporary switch to manual operations due to a cyberattack No interruption to the water supply | Switch to manual operations |
Tipton Wastewater Treatment Plant | April 2024 | Claimed attack by the Cyber Army of RussiaCaused a switch to manual control to prevent damageFacility operations remained stable | Minimal disruption; switch to manual control |
Texas Water Facilities (Multiple) | January 2024 | Facilities in Hale Center, Muleshoe, Lockney, and Abernathy faced coordinated attacks on SCADA systems A water tank overflowed in Muleshoe before systems were controlled manually | Minor disruptions; one water tank overflowed |
Veolia North America | January 2024 | The company took targeted systems offline as a precautionCustomer services were delayedWater and wastewater operations were unaffected | Service degradation in online billing and suspected PII theft |
Municipal Water Authority of Aliquippa | November 2023 | A vulnerable controller was accessed by attackersLed to a shutdown of automated systemsOperations continued manually with no water disruption | Manual override was required due to the compromised system |
North Texas Municipal Water District | November 2023 | A ransomware gang claimed to steal customer dataWater, wastewater, and solid waste services remained functional | Phone service outages and suspected data breach affecting 33,000 files |
These breaches highlight the fact that no organization is safe from cyberattacks today. Cybercriminals will exploit vulnerabilities wherever they find them.
In fact, the Environmental Protection Agency (EPA) has issued an enforcement alert, warning that an increase in cybercrime targeting critical water infrastructure has revealed vulnerabilities in many water systems. The EPA found that 70% of the water systems it inspected are not fully compliant with the Safe Drinking Water Act’s cybersecurity requirements.
Critical Lessons From the American Water Works Cyberattack
The American Water Works attack is a wake-up call—digital threats are always there to challenge the safety of your services. Here’s what organizations can take away from this incident to better protect themselves and their customers:
Make Security Assessments and Penetration Testing a Routine
Security assessments and penetration tests examine systems for weaknesses, gaps, and vulnerabilities that attackers might exploit. They help you find both technical flaws and procedural gaps.
Doing these every few months helps you catch risks early, keep your defenses strong, and stay prepared for emerging threats. In other words, security assessments and pen tests are your first line of defense against cyber threats.Â
In the American Water Works incident, the company identified the breach quickly—likely through a routine security check—and acted quickly to ensure containment. This shows how a regular routine of security checks builds readiness and allows for rapid responses to threats.
While you can conduct regular pen testing in-house, it usually requires a large cybersecurity team with expert knowledge of cyber threats and protocols—something not many companies have access to.Â
I.S. Partners helps you make sure your systems are protected and ensure cybersecurity compliance across different regions. This way, you can build threat detection systems that keep your organization prepared for any breaches.Â
Get in touch to learn more.
Build and Practice a Strong Incident Response Plan
An incident response plan gives an organization a clear, step-by-step guide to handle cyber threats the moment they arise. It outlines who does what—from detecting and assessing the threat to containing and recovering from it.Â
This makes sure that everyone knows their role when seconds matter—which was the case with American Water Works. The company’s employees knew exactly how to limit the breach and acted immediately once they learned of it.Â
You can also ensure a similar level of responsiveness if you build and practice an incident response plan that aligns with the NIST Cybersecurity Framework (CSF) core functions:
- Govern (GV)—Define cybersecurity strategy and policy
- Identify (ID)—Identify risks across all assets
- Protect (PR)—Secure assets to prevent incidents
- Detect (DE)—Monitor for threats and compromises
- Respond (RS)—Manage incident containment and mitigation
- Recover (RC)—Restore assets and operations swiftly
Keep Communication Clear and Transparent During a Breach
A data breach deals a significant blow to a company’s reputation and customer trust, so the best defense is prevention. But if a breach does happen, transparent communication matters just as much as containment.Â
With the right communication plan, you can inform clients and partners as soon as the breach happens to build trust, reassure stakeholders, and show that your organization takes cybersecurity seriously.Â
Make sure your teams—across all departments—know their roles and have a clear understanding of the situation so they can provide information about a potential cybersecurity incident, the data that may be at risk, and the actions you’re taking to resolve the situation quickly.
For example, American Water Works identified the cyberattack on October 3 and took billing services offline the same day. This shows the company had good internal communication, which allowed them to act quickly and limit the damage.
You also need to have a communication plan in place to adhere to your legal obligations for reporting breaches, as they differ across jurisdictions and industries. Here are some examples:Â
- HIPAA requires breach reporting for all healthcare providers in the U.S.Â
- The California Consumer Privacy Act requires data breach reporting for all companies processing citizen data in the state.
- GDPR requires companies to report breaches within 72 hours in the E.U.
​​Secure Remote Access and Third-Party Connections
Systems once managed on-site now rely on APIs, web applications, and cloud solutions to connect employees, customers, and vendors. While these tools improve efficiency, they also open up points of vulnerability—especially those involving remote access or third-party services.Â
Remote access, for example, helps employees and vendors connect from anywhere, but without strong security, it’s a direct path into your systems. A single compromised device or unprotected network connection could expose your entire organization.Â
Third-party connections add another layer of risk, as companies are often reliant on the security practices of other organizations they interact with. Each external connection point is a potential entry port for attackers. This means you need to choose vendors carefully and perform a vendor risk assessment before settling on one.Â
In the American Water Works incident, the company’s immediate shutdown of online systems suggests that remote access or a third-party service may have provided an entry point for attackers.Â
Engage Law Enforcement and Cybersecurity Experts Early
When a cyberattack occurs, involving law enforcement and cybersecurity experts from the start makes a major difference. Law enforcement provides investigative expertise and non-public threat intelligence, which helps contain and trace the attack, reduce costs, and speed up recovery.
IBM’s 2024 Cost of a Data Breach (CODB) Report shows that organizations can lower breach costs by nearly $1 million on average if they work with law enforcement—compared to those that handle incidents alone.
Law enforcement, like the FBI, monitors cyber threats and can aid in damage recovery, such as retrieving stolen funds or reversing ransomware.
The 2023 disruption of the Hive ransomware group is an example, where FBI-provided decryption keys saved over 300 organizations from paying ransom demands totaling more than $130 million.
Customers, regulators, and the public want to know that your organization is actively handling the situation. Notifying law enforcement early on sends a strong message that your organization is fully committed to reducing harm and taking the threat seriously.Â
Protect Clients from Cyberattacks with I.S. Partners
The American Water Works cyberattack is a reminder that even the most ordinary organizations are at risk of cyberattacks. While the company quickly got things under control and kept essential services running, this incident shows just how important it is for organizations to stay a step ahead.Â
Regular security checks, a practiced response plan, and secure remote and third-party access points go a long way in keeping systems safe. But with cyber threats constantly changing, your protocols can quickly become outdated.Â
At I.S. Partners, we understand that cybersecurity is an ongoing journey, not a one-time fix. Our fully U.S.-based team helps you stay ahead of emerging threats and provides you with expertise and protocols to keep your systems protected.
What Should You Do Next?
Strengthen your security system today by following these three critical steps.
Perform Regular Security Checks. Routine security assessments and penetration tests help identify vulnerabilities, allowing you to address them before attackers exploit them.
Create and Practice an Incident Response Plan. A tailored, well-rehearsed plan ensures your team can respond effectively during an attack, reducing downtime and mitigating risks.
Secure Expert Support from I.S. Partners. I.S. Partners offers expert guidance and customized cybersecurity solutions to protect your systems from evolving threats.
Don’t wait for an incident to reveal vulnerabilities. Get in touch with I.S. Partners today to build a cybersecurity strategy that secures your future.Â