Cyber Incident Victim: American Water Works
Date:
Oct 2024
Location:
United States of America
Summary
American Water Works experienced unauthorized access to its computer networks, prompting immediate activation of incident response protocols and engagement of third-party cybersecurity experts to contain and mitigate the breach. The company disconnected certain systems, temporarily halting billing operations and disabling its customer portal, while assuring customers no late fees would apply during the outage. Although no water or wastewater facilities were impacted, the incident caused a temporary stock price decline. The company notified law enforcement and is cooperating with authorities, maintaining that the breach is unlikely to materially affect its financial condition despite ongoing investigations into the full scope.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 3, 2024, American Water Works Company, Inc. detected unauthorized activity within its computer networks and systems, which it classified as a cybersecurity incident. The Camden, New Jersey-based utility—the largest regulated water and wastewater provider in the U.S., serving over 14 million people across 14 states and 18 military installations—immediately activated its incident response protocols upon discovery. The company engaged third-party cybersecurity experts to assist with containment, mitigation, and investigation efforts while disconnecting or deactivating specific systems as a protective measure. These actions caused the shutdown of its customer portal service, MayWater, which remained offline as of October 4. American Water paused customer billing operations during the system disruption and assured customers no late fees would be charged while services were unavailable. The company promptly notified law enforcement agencies and coordinated fully with their investigation, though no operational disruptions to water treatment or wastewater facilities were identified at the time of reporting.
The incident triggered a 3.9% stock price decline on October 3, reducing share value by $5.58, though partial recovery occurred the following day with a 0.5% increase. While American Water confirmed no immediate impacts on physical water infrastructure across its 500+ managed systems, it acknowledged uncertainty regarding the incident’s full scope and potential consequences, including risks of unauthorized data access, regulatory penalties, litigation, or reputational damage. Company representatives emphasized continuous investigation efforts and system protection measures but refrained from speculating about long-term financial or operational effects. The disclosure coincided with heightened U.S. government concerns about cyber intrusions targeting critical infrastructure, though no attribution or connection to nation-state actors was established in the company’s official statements. American Water maintained its assessment that the incident would not materially affect financial performance despite unresolved investigation elements and potential future liabilities.