Cyber Incident Victim: Águas e Energia do Porto

On January 30, 2023, Aguas do Porto, a Portuguese municipal utility responsible for water supply, wastewater management, public lighting, and photovoltaic parks, disclosed a cyber attack that disrupted some customer-facing services. The incident did not impact core water supply or sanitation operations. Customers who submitted information requests, service tickets, or complaints in the preceding 72 hours were instructed to re-contact the company due to system constraints caused by the breach. The LockBit ransomware gang later claimed responsibility, listing Aguas do Porto on its Tor-based leak site with a threat to publish stolen data by March 7, 2023. No samples of the allegedly exfiltrated data were initially released, leaving the exact scope and nature of compromised information unverified.

Portugal’s National Cybersecurity Center and Judiciary Police launched an investigation into the incident. The attack followed a December 2022 LockBit intrusion against the Port of Lisbon, which similarly did not disrupt critical operational systems. LockBit also breached Divultec, an IT services provider, stealing sensitive customer data that reportedly included Aguas do Porto passwords. The utility did not publicly confirm whether the Divultec breach facilitated the January intrusion or elaborated on technical containment measures. Service restoration timelines and forensic findings remained undisclosed in available reporting.