"As a critical infrastructure company, California Water Service takes cybersecurity and the security of our data and systems very seriously," a Cal Water spokesperson told Security magazine.
Handala's claim and Cal Water's June 11 response
On June 11, 2026, the Iranian-linked threat actor Handala claimed to have hacked California Water Service (Cal Water). The allegation prompted Cal Water to activate its cybersecurity response plan and to open a formal investigation, the company said. The response included continuous work "around the clock" and engagement of external experts to determine the scope and impact of the reported activity.
Mandiant's findings: unauthorized access limited to third-party accounts
Cal Water said it retained Mandiant to support the investigation. "Mandiant has confirmed that the threat actor activity was limited to unauthorized access to a small number of specific user accounts within two third-party service provider platforms," the company reported to Security magazine. Mandiant, Cal Water added, "did not identify evidence of threat actor activity in Cal Water’s internal information technology or operational technology environments."
What the intruder accessed: a customer account and a GPS correction tool site
The investigation concluded that the threat actor used stolen user credentials to access one active customer's online Cal Water account. Cal Water emphasized that "the customer account did not provide access to the billing system, and no payment information was compromised." Separately, the actor accessed an external, third‑party web site related to a GPS location correction tool; Cal Water said that the website "does not contain any confidential or sensitive information."
Coordination with government partners and the continuing response
Cal Water thanked its "state and federal government partners" for collaboration and support during the investigation, and reiterated its intent to continue efforts "to maintain the security of our systems and data from malicious actors." The company specifically cited the engagement of "leading cybersecurity experts, including Mandiant" as part of its incident response.
What this means for technologists, policymakers, and customers
- Technologists and security teams: The incident centers on stolen user credentials and access to a small set of accounts on two third‑party platforms, highlighting the importance of protecting third‑party access points and monitoring for credential compromises.
- Policymakers and regulators: The episode "falls in line with official warnings earlier this year that Iranian actors may target critical infrastructure, including water and wastewater systems (WWS)," underlining the continued relevance of those advisories for oversight and resilience efforts.
- Customers and the general public: Cal Water's investigation found one active customer account was accessed but stated explicitly that the account did not yield billing access and that "no payment information was compromised."
Cal Water's account of events is narrowly drawn: investigators found unauthorized access confined to a small number of third‑party account credentials and no evidence of penetration into the utility's internal IT or operational technology environments. The company has committed to continued work with government partners and outside experts. Whether the protections around remaining third‑party dependencies and credential management are sufficient to prevent similar intrusions in the future is a concrete question the facts in this update leave for further scrutiny.
Source: Security Magazine — Cal Water Confirms User Credentials Exploited in Hacking
