What happened
Iran-linked threat actor Handala claimed it hacked California Water Service and published 5 GB of data allegedly stolen from the U.S. water utility.
The hacking group said the intrusion was retaliation for recent U.S. actions in Iran and claimed it had the ability to disrupt water access but chose not to. The level of access Handala had has not been confirmed.
Threat intelligence company Dataminr assessed that Handala likely hacked into Cal Water’s RTKBase instance, a GNSS base station platform, and then moved laterally to a billing system. Cal Water is one of the largest investor-owned water utilities in the United States, serving roughly two million customers across 100 communities in California.
Cal Water’s Chico District has been confirmed as the victim of the attack. Data leaked by Handala indicates the attackers likely accessed a customer billing database and Cal Water’s internal RTKBase application.
The leaked data appears to include a bulk database export containing personally identifiable information such as names, addresses, phone numbers, account numbers, and payment histories. The dump also includes administrative credentials for the RTKBase platform and a mountpoint-level NTRIP source password.
Handala also performed enumeration of IP addresses associated with Cal Water’s NTRIP network across seven districts. While OT or ICS disruption has not been confirmed, Dataminr warned that Handala’s toolkit includes custom wipers and destructive capabilities.
Dataminr said all credentials exposed in the dump should be considered compromised and immediately rotated. It also recommended taking the RTKBase instance offline and auditing it, along with reviewing network segmentation and billing system access logs.
Cal Water has not publicly acknowledged the intrusion.
Who is affected
Cal Water’s Chico District is directly affected by the claimed attack. Customers whose information was included in the leaked billing data may also be affected.
Potentially exposed information includes names, addresses, phone numbers, account numbers, and payment histories. This type of data can create risks around phishing, impersonation, billing-related scams, and customer account fraud.
Cal Water’s broader operations may also face security concern because the alleged intrusion involved both a GNSS base station platform and a billing system. The article does not confirm operational disruption, but the group claimed it had the ability to disrupt water access.
Why CISOs should care
This incident highlights the risk of attackers moving from specialized operational or infrastructure-adjacent systems into business systems that contain customer data. Dataminr assessed that the RTKBase platform may have served as an initial access vector or lateral pivot point into the billing environment.
For CISOs in utilities and critical infrastructure, the incident reinforces the need to treat engineering, geospatial, telemetry, and support platforms as part of the broader attack surface. Systems that may appear separate from customer databases can still become pathways into sensitive environments if segmentation, credentials, and access controls are weak.
The destructive capability angle also matters. OT and ICS disruption has not been confirmed, but Handala has a history of data exfiltration, wiper malware, and psychological operations. Security teams should treat public claims and leaked data not only as a breach disclosure event, but also as a possible warning sign for follow-on activity.
3 practical actions
- Rotate exposed credentials and audit RTKBase access immediately: The leaked data included administrative credentials for the RTKBase platform and an NTRIP source password. Security teams should treat those credentials as compromised, rotate them immediately, review access history, and audit the affected RTKBase instance.
- Review segmentation between infrastructure platforms and billing systems: Dataminr assessed that the RTKBase network may have been an initial access vector or lateral pivot point into the billing environment. CISOs should verify that infrastructure-adjacent systems cannot freely reach customer billing databases or other sensitive business systems.
- Prepare for possible destructive follow-on activity: OT or ICS disruption has not been confirmed, but Handala’s toolkit includes custom wipers and destructive capabilities. Utilities and critical infrastructure operators should review backups, incident response plans, recovery procedures, and monitoring for signs of escalation after public data leaks.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.