Cyber Incident Victim: Autoridad de Acueductos y Alcantarillados

On March 13, 2023, the Autoridad de Acueductos y Alcantarillados (AAA), Puerto Rico’s public water utility manager, experienced a ransomware attack targeting its electronic customer service systems. The incident began at approximately 6:37 a.m. local time, according to Arnaldo Jimenez Acevedo, AAA’s Vice President of Strategic Planning, who confirmed the attack to local media outlet Vocero. The organization’s security protocols triggered an automated defensive response, described by Jimenez Acevedo as part of the agency’s “robust system” protections, which activated shortly after the initial compromise. While AAA did not disclose the precise method of infiltration or the identity of the threat actors, the attack disrupted digital customer-facing operations. The utility emphasized no evidence indicated unauthorized access to or exfiltration of employee or customer data during the event.

AAA’s leadership publicly ruled out paying any ransom demand to restore system access, citing the absence of confirmed data compromise as a pivotal factor in this decision. The attack’s operational impact centered on impairing electronic service delivery mechanisms, though AAA did not specify whether other internal systems, such as water supply control infrastructure, suffered collateral disruption. No data leaks, financial demands, or attacker communications were disclosed publicly beyond the confirmation of ransomware’s involvement. The utility did not release additional technical details regarding containment measures, system restoration timelines, or forensic investigations in its initial statements. External cybersecurity analysts noted the absence of a dark web leak or victim claim by known ransomware groups at the time of AAA’s disclosure, though no third-party verification of the attack’s scope or resolution emerged in subsequent weeks.