Kemuri Water Company

Kemuri Water Company operates as a water utility responsible for the treatment and distribution of drinking water within its service area in the United States of America. The company manages the chemical dosing and flow control processes that ensure water safety and reliability for consumers. Its core function involves monitoring and adjusting treatment parameters through industrial control systems. The utility serves approximately 2.5 million customers, as indicated by the personal data exposed in a 2016 security incident. Its headquarters are located in the United States, though the specific city or state is not disclosed in the available sources.

The organisation’s operational technology includes an ageing IBM AS/400 system that interfaces with programmable logic controllers regulating the addition of treatment chemicals and the flow of water through the plant. This legacy infrastructure was highlighted during a cyber intrusion on March 22, 2016, when attackers leveraged credentials stored on an internet‑connected web server to gain unauthorized access. Once inside, the threat actors modified application settings, altering chemical levels and disrupting treatment processes before automated alerts enabled a rapid reversal. The incident also resulted in the exposure of personal information for its customers, although no evidence of data misuse was found. Forensic analysis attributed the breach to a hacktivist group that lacked the intent or technical capability to cause substantial physical harm.

The 2016 event underscored systemic vulnerabilities in outdated critical infrastructure, particularly the reliance on legacy platforms such as the AS/400 for essential water treatment functions. As a provider of potable water, Kemuri Water Company operates within a heavily regulated sector, subject to federal and state standards governing water quality and safety. The utility’s role as critical infrastructure necessitates adherence to cybersecurity guidelines aimed at protecting operational technology environments. No explicit information about parent companies, subsidiaries, or ownership structure is provided in the source material, so those details remain unspecified.