CALIFORNIA Water Service is investigating a claim by the Iran‑linked hacking group Handala that it stole several gigabytes of customer data from the utility’s networks, asserting that it could have disrupted water supply but opted instead to leak the information according to SecurityWeek.
The group says it gained entry through an exposed RTKBase GPS infrastructure, which acted as a pivot to the billing database holding names, addresses and account details of roughly two million customers as reported by Security Affairs, and notes that no CVE identifiers have been associated with the intrusion.
Handala released a 5GB archive allegedly containing the billing records and internal telemetry from the RTKBase system, signalling that it had achieved deep access to the corporate IT environment. Despite the claim that it could have sabotaged water flow, the utility says there was no interruption to service and no evidence of malicious code placed on operational technology.
Handala, which security researchers tie to Iranian military interests, has previously framed its attacks as retaliation for US actions in Iran and has shown a pattern of escalating against critical infrastructure targets. The latest claim adds to a growing list of incidents where water utilities have been singled out for data exfiltration rather than outright disruption.
The episode highlights the continued exposure of water sector networks to relatively simple footholds such as misconfigured external services, and shows how attackers can move from IT to billing systems without triggering alarms in OT environments. It also demonstrates that even when threat actors claim restraint, the data they acquire can be used for fraud, identity theft or future extortion campaigns.
Defenders should begin by auditing all internet‑facing assets for outdated software and unnecessary services, applying patches where available and disabling any legacy protocols that are not required. Network segmentation must be enforced so that OT devices and billing databases reside in separate zones with strict firewall rules governing traffic between them.
Multi‑factor authentication should be mandatory for privileged accounts, and logging must be centralized to detect anomalous login attempts or unusual data transfers. Finally, organisations are encouraged to share indicators of compromise with sector‑specific ISACs and to rehearse incident response plans that include coordination with law enforcement and regulatory bodies.