Cyber Incident Victim: Puerto Rico Aqueduct and Sewer Authority
Date:
Mar 2023
Location:
United States of America
Summary
A cyberattack compromised sensitive customer and employee information at Puerto Rico's primary water utility, though critical infrastructure remained unaffected due to network segmentation. The incident involved unauthorized access by a criminal ransomware group later identified nationally, with Vice Society claiming responsibility and leaking stolen documents including passports and driver’s licenses. The utility activated security protocols, initiated an investigation into the breach’s scope and entry methods, and notified affected individuals. Authorities collaborated with federal agencies, emphasizing password resets for users. The attack highlighted vulnerabilities in water sector cybersecurity following recent federal mandates citing inadequate prior protections and rising threats to critical infrastructure operations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around early March 2023, the Puerto Rico Aqueduct and Sewer Authority (PRASA) experienced a cyberattack compromising customer and employee data. PRASA detected the incident and activated security protocols, engaging the FBI and Cybersecurity and Infrastructure Security Agency (CISA) immediately. Executive President Doriel Pagán confirmed the breach did not impact critical water infrastructure due to network segmentation, ensuring operational continuity for water services. The joint investigation focused on identifying the attackers’ entry methods, the full scope of data exfiltrated, and mitigating further risks. PRASA characterized the perpetrators as a nationally identified criminal organization but withheld attribution specifics due to the ongoing investigation. While declining to name the group publicly, officials pledged to notify affected customers and employees via breach notification letters with additional details. They advised all individuals to change passwords not only for PRASA accounts but also any other platforms using identical credentials as a precaution against credential-stuffing attacks.
On March 17, 2023, the Vice Society ransomware group claimed responsibility, listing PRASA on its leak site and publishing samples of stolen documents—including passports, driver’s licenses, and other personal identification materials. Vice Society, active since 2021, historically targeted educational institutions but expanded to entities with weaker security postures. The PRASA attack coincided with heightened U.S. regulatory scrutiny, occurring two weeks after the White House and Environmental Protection Agency mandated cybersecurity assessments for drinking water systems. EPA officials cited prior ransomware disruptions at water facilities, including treatment process shutdowns, control system lockouts, and disabled monitoring infrastructure, as justification for stricter measures. Though PRASA’s operational systems remained uncompromised, the breach underscored sector-wide vulnerabilities highlighted by law enforcement reports documenting five attacks on U.S. water/wastewater facilities from 2019–2021. Authorities maintained focus on securing critical systems while coordinating breach response and forensic analysis with federal partners.