Veolia North America, a subsidiary of transnational conglomerate Veolia, disclosed a ransomware attack that impacted systems part of its Municipal Water division and disrupted its bill payment systems.
After detecting the attack, Veolia has implemented defensive measures, temporarily taking some systems offline to contain the breach.
Veolia is now working with law enforcement and third-party forensics experts to assess the extent of the attack’s impact on its operations and systems.
“In response to this incident, we implemented defensive measures, including taking the targeted back-end systems and servers offline until they could be restored. As a result, some customers experienced delays when using our online bill payment systems,” the company said.
According to Veolia, back-end systems and servers taken offline right after the attack for restoration are now back online and customers’ payments will not be affected.
“Any payments made during this event have been applied, and customer accounts should reflect the most updated information. Customers will not be penalized for late payments or charged interest on their bills due to this service interruption.”
However, the attack hasn’t disrupted Veolia’s water treatment operations or wastewater services.
“This incident seems to have been confined to our internal back-end systems at Veolia North America, and there is no evidence to suggest it affected our water or wastewater treatment operations,” it said.
So far, the company has discovered a limited number of individuals whose personal information may have been impacted during the breach and is working with a third-party forensics firm to assess the extent of the attack’s impact on its operations and systems.
Veolia North America provides water and wastewater services to roughly 550 communities and industrial water solutions at around 100 industrial facilities, treating over 2.2 billion gallons of water and wastewater daily at 416 facilities across the United States and Canada.
The transnational Veolia group has almost 213,000 employees globally and generated €42.9 billion in revenue in 2022, providing drinking water to around 111 million people and wastewater services to roughly 97 million. The same year, Veolia produced nearly 44 terawatt-hours of energy and treated 61 million metric tons of waste.
Critical water infrastructure under attack
Southern Water, a water treatment company serving millions across the United Kingdom, was also the victim of a ransomware attack claimed by the Black Basta ransomware gang.
“At this point there is no evidence that our customer relationships or financial systems have been affected. Our services are not impacted and are operating normally,” Southern Water said today.
In November, CISA warned that threat actors breached a U.S. water facility in Pennsylvania by hacking Unitronics programmable logic controllers (PLCs) exposed online without compromising potable water safety for served communities.
Two months earlier, in September, the U.S. cybersecurity agency released a free security scan program for critical infrastructure facilities like water utilities to help them detect security gaps and secure their systems from such attacks.
U.S. Water and Wastewater Systems (WWS) Sector facilities have also been breached multiple times by several threat groups deploying Ghost, ZuCaNo, and Makop ransomware in recent years,
Other breaches of water facilities have happened over the past two decades, including a South Houston wastewater treatment plant in 2011, a water company with outdated software and hardware equipment in 2016, the Southern California Camrosa Water District in August 2020, and a Pennsylvania water system in May 2021.
In response to the WSW sector increasingly targeted by cyberattacks, CISA, the FBI, and the Environmental Protection Agency (EPA) issued an incident response guide last week to help defenders secure water utilities from attacks.