American’s largest water utility hit by cyberattack

American Water, the largest water utility in the U.S., disclosed that it had been hit by a cyberattack.

The Camden, New Jersey-based company said in a security statement on its website that it had learned of “unauthorized activity in our computer networks and systems” last Thursday, which it determined “to be the result of a cybersecurity incident.”

The company said on Tuesday that it shut down its customer service portal, and as a result, its billing function “until further notice” and will not charge any late fees or other fees related to billing as long as the system is down.

American Water said it first learned of the unauthorized computer access on October 3, and was subsequently able to determine it was a cyberattack. It said turning off customer systems was intended to protect data, though it added that it is too soon to know whether any customer information is at risk.

The rising cybercrime wave targeting key water infrastructure led the Environmental Protection Agency to issue an enforcement alert warning that 70% of water systems it inspected do not fully comply with requirements in the Safe Drinking Water Act. Without quantifying an exact number, the EPA said some have “alarming cybersecurity vulnerabilities” — default passwords that have not been updated, vulnerable single login setups and former employees who retained systems access.