The Iranian hacker group Handala claimed to have gained deep access to Cal Water's industrial control systems and threatened disruption of the water supply. However, the investigation led by Mandiant found no evidence of activity within Cal Water's internal IT or OT environments. The threat actor accessed a small number of user accounts on two third-party service provider platforms and leaked data including personal and billing information. The investigation confirmed that the compromised customer account did not provide access to the billing system or payment data. The incident highlights risks to the water sector from legacy systems and third-party platforms but did not result in operational disruption.

Unauthorized access was limited to a small number of user accounts on third-party platforms, resulting in the leak of approximately 5 GB of data containing personal information and some customer billing data. No payment or sensitive financial information was compromised. There was no evidence of compromise or disruption of Cal Water's internal IT or operational technology systems, and no impact on water supply operations was observed.

The vendor advisory indicates that the threat actor's activity was limited to unauthorized access on third-party platforms and that no internal IT or OT systems were compromised. Cal Water has engaged cybersecurity experts to investigate and respond. Organizations should continue to monitor third-party service provider security and ensure strong credential management. Patch status is not applicable as no vulnerability or exploit was confirmed in Cal Water's systems. No urgent remediation actions are indicated beyond ongoing security vigilance and collaboration with government partners.