Breach taxonomy
Summary
On October 3, 2024, American Water Works Company learned of unauthorized activity within its computer networks and systems. The company activated its incident response protocols, engaged third-party cybersecurity experts, notified law enforcement, and disconnected or deactivated certain systems as a precautionary measure. The company stated that none of its water or wastewater facilities or operations were negatively impacted, and it did not expect the incident to have a material effect on the company. Filed under Item 8.01; materiality not yet determined as of filing date.
Tagging rationale
ThreatUnknown
Filing does not attribute the incident to a specific actor → UNKNOWN.
MethodsMalware
The company described unauthorized activity that prompted proactive system disconnections; no specific method (ransomware, exfiltration) confirmed, classified as general malware/intrusion.
AssetsRevenue ProcessPhysical Assets
Unauthorized activity affected corporate computer networks and systems (REVENUE-PROCESS); the company also proactively disconnected systems related to its water utility infrastructure as a precaution (PHYSICAL-ASSETS).
EffectsBiz Interruption
The company had to disconnect or deactivate certain systems in response, causing operational disruption to IT systems → BIZ-INTERRUPTION. Water/wastewater operations were not impacted.
Business continuityEffective
Filing states the company immediately activated its incident response protocols and that water/wastewater facilities and operations were not negatively impacted → Effective.
Impact
Unauthorized access to a major US water utility's corporate IT systems; no water operations affected, no data confirmed exfiltrated, company does not expect material impact → score 2.
InsuranceNot disclosed
Filing makes no mention of insurance → null.
Read the original SEC filing excerpt
Item 8.01. Other Events. Discovery of and Response to Cybersecurity Incident On October 3, 2024, American Water Works Company, Inc. (the Company) learned of unauthorized activity within its computer networks and systems, which the Company determined to be the result of a cybersecurity incident. Upon learning of this activity, the Company immediately activated its incident response protocols and third-party cybersecurity experts to assist with containment and mitigation activities and to investigate the nature and scope of the incident. The Company also promptly notified law enforcement and is coordinating fully with them. The Company has taken and will continue to take steps to protect its systems and data, including disconnecting or deactivating certain of its systems. The Company currently believes that none of its water or wastewater facilities or operations have been negatively impacted by this incident. Although the Company is currently unable to predict the full impact of this incident, the Company does not expect that the incident will have a material effect on the Company, or its financial condition or results of operations.