Iran-linked threat actor Handala reportedly compromised Cal Water's RTKBase platform, a GNSS base station system, and subsequently accessed the billing system. The attackers published a 5GB data dump containing personally identifiable information (PII) such as names, addresses, phone numbers, account numbers, payment histories, and administrative credentials for RTKBase. The RTKBase platform likely served as the initial access vector or pivot point. Although no OT/ICS disruption is confirmed, Handala has a history of deploying destructive malware including custom wipers and MBR overwriting tools, indicating potential for escalation. The Chico District of Cal Water is confirmed as impacted. The group claims the attack was retaliation for US actions in Iran and asserts capability to disrupt water access but has not done so.

Exposure of sensitive customer PII and billing information compromises privacy and could facilitate identity theft or fraud. Administrative credentials for the RTKBase platform are compromised, risking further unauthorized access or manipulation of GNSS correction data. The breach may enable future destructive attacks given the threat actor's known use of wiper malware. Operational disruption of water services is not confirmed but remains a potential risk. The incident undermines trust in Cal Water's security posture and may have regulatory and reputational consequences.

All credentials exposed in the data dump should be considered compromised and must be immediately rotated. The RTKBase instance should be taken offline and subjected to a thorough security audit. Network segmentation between the RTKBase platform and billing systems should be enforced or reviewed. Access logs for the billing system should be analyzed for suspicious activity. Cal Water and affected organizations should monitor for any signs of follow-on destructive activity given the threat actor's history. No official patch or fix is indicated; remediation focuses on incident response and credential management.