IT Security FAQs – Reactivation of Systems

October 10, 2024: American Water is in the process of methodically and securely reconnecting and reactivating systems following a recent cybersecurity incident. At this time, our customer portal, MyWater, is now securely back online and customers can resume using this platform as normal. We sincerely regret any inconvenience this has caused and appreciate your patience as we worked to restore these services.

As always, providing safe and reliable access to water and wastewater services is our top priority – and we continue to have no indication that any of our water or wastewater facilities or operations have been negatively impacted by this incident.

1. What happened? On Thursday, October 3, 2024, American Water learned of unauthorized activity in our computer networks and systems. This activity has since been determined to be the result of a cybersecurity incident. To protect our customers’ data and to prevent any further harm to our environment, we proactively disconnected or deactivated certain systems. Several days later, those systems were securely reactivated.
   
   
2. How did American Water respond? Upon learning of the issue, our team immediately activated our incident response protocols and third-party cybersecurity professionals to assist with containment, mitigation and an investigation into the nature and scope of the incident. We also notified law enforcement and cooperated fully with them.
   
   
3. What is the current status of American Water’s operations and services? All systems are securely online. The Company has no indication that any of our water or wastewater facilities or operations were negatively impacted by this incident.
   
   
4. Was there any impact to my water services and/or other utilities? There was no impact to our water and wastewater services. No late charges for any unpaid bills were issued during the short period when our customer and billing platform was unavailable.
   
   
5. Is the water safe to drink? Yes.
   
   
6. Is my information at risk? The Company has determined that customer Personal Information (PI), as that term is defined by the state data breach notification laws in the states in which we have regulated operations (i.e., NJ, PA, MO, IL, IN, IA, WV, VA, CA, HI, KY, TN, GA, MD), was not impacted as a result of the incident. The Company will notify any customers impacted by this incident that reside outside of our regulated footprint in accordance with their respective state data breach notification laws.