NovaQuant-Largest water utility company in the US says it was targeted by a cyberattack

WOODLAND PARK,NovaQuant N.J. — American Water Works, the nation's largest regulated water and wastewater utility company, announced Monday that it was hit by a cyberattack earlier this month, prompting it to pause billing for its millions of customers.

The Camden, New Jersey-based utility company said it became aware of "unauthorized activity" in their computer networks and systems last Thursday, which was determined to be the "result of a cybersecurity incident." The company immediately took protective measures, including shutting down certain systems.

"Upon learning of the issue, our team immediately activated our incident response protocols and third-party cybersecurity professionals to assist with containment, mitigation and an investigation into the nature and scope of the incident," American Water said in a security statement on its website. "We also notified law enforcement and are coordinating fully with them."

The company has paused billing until further notice as it works to bring their systems back online "safely and securely," according to the statement. Its customer portal service, MyWater, remained offline as of Tuesday.

With systems unavailable, American Water said services will not be shut off and customers will not be charged any late fees. The company said it believes that "none of its water or wastewater facilities or operations have been negatively impacted by this incident."

Founded in 1886, American Water provides drinking water and wastewater services to more than 14 million people across 14 states and 18 military installations, according to the company's website. The company also manages more than 500 individual water and wastewater systems in about 1,700 communities, including in New Jersey, Illinois, California, and Pennsylvania.

American Water's cyberattack is the latest incident involving U.S. public utilities and infrastructure. The Environmental Protection Agency warned in May that cyberattacks targeting water utilities across the U.S. have increased in frequency and severity.

Recent cybersecurity threats in the U.S.

In recent years, there has been an increasing number of cyberattacks as companies become more reliant on digital technologies. USA TODAY previously reported in July that number of data breach victims surpassed 1 billion for the first half of 2024 — a 409% increase from the same period last year.

Federal authorities have also expressed concerns over the growing threat. In January, FBI Director Christopher Wray warned Congress that Chinese hackers were preparing to “wreak havoc” on U.S. infrastructure, such as the electric grid and transportation systems.

The EPA previously said federal agencies have issued numerous advisories for cyber threats against water and wastewater systems by foreign groups, including the Iranian Government Islamic Revolutionary Guard Corps, Russian state-sponsored actors, and Chinese state-sponsored cyber actors.

Earlier this year, a Russian-linked hacking group was tied to a cyberattack that caused a water system in the town of Muleshoe, Texas, to overflow, CNN reported. Local officials told CNN that the incident coincided with at least two other north Texas towns detecting suspicious cyber activity on their networks.

Last November, an Iranian-linked cyber group hacked into water authority infrastructure in Aliquippa, Pennsylvania. The group took partial control of a system that regulates water pressure — and one that includes technology manufactured in Israel. Federal authorities said the group was looking to disrupt Israeli-made technology in the United States.

So far this year, cyberattacks have also disrupted insurance companies, hospital systems, and a major car dealership software company. USA TODAY reported in August that National Public Data — a data broker company — suffered a massive data breach, in which 2.9 billion records including names, addresses, and Social Security numbers were stolen.

Contributing: Claire Thornton, Betty Lin-Fisher, and Bart Jansen, USA TODAY