An Iranian-affiliated hacking group, Handala, provided a 5GB data dump as evidence to its claim that it breached California Water Service (Cal Water). The exposed data included customer billing records and administrative credentials for an internal GPS correction network that spans at least seven of Cal Water's districts.
Cal Water serves approximately two million customers across 100 California communities. Under California law, a confirmed exposure of customer PII triggers breach notification obligations. Customers whose billing data was exposed face elevated spear-phishing risk from attackers using exfiltrated account and contact data.
Cal Water told several news outlets that it activated its cybersecurity response plan immediately upon learning of the claim, is working with state and federal partners and outside experts, and its preliminary findings show no operational disruptions to its water, wastewater, or billing systems. The company has not confirmed or denied that customer data was accessed.
Related:
George V. Hulme
George V. Hulme
An analysis by Dataminr researchers attributed the breach and dump activity to Handala with high confidence. Affiliated with Iran's Ministry of Intelligence and Security, Handala is tracked by Microsoft and Check Point Research as Void Manticore and Storm-0842, respectively. The group has been active since December 2023, with a marked escalation in U.S.-targeting following the onset of U.S.-Iran military tensions earlier this year. The claimed Cal Water breach follows the group's most significant U.S. action to date: the March 2026 destructive wiper attack against Stryker Corporation, and aligns with a 2026 federal advisory warning of Iranian targeting of U.S. water-sector technologies.
Cal Water’s internal RTKBase deployment is the reported entry point. RTKBase, an open-source GNSS base station application that streams centimeter-accurate GPS corrections to field crews mapping and maintaining water infrastructure, reportedly had been running continuously for approximately 783 hours across seven district mountpoints when access was confirmed. RTKBase is typically deployed on Raspberry Pi-class hardware with a web-based administrative panel exposed on internal networks; the Cal Water instance ran on standard HTTP port 10000. Administrative credentials and mountpoint-level source passwords for the platform were published in plaintext in the data dump.
According to Dataminr, that RTKBase network access then led Handala to reach the billing environment. The billing database, separately accessed, appears to contain names, service addresses, phone numbers, account numbers, and payment history for accounts across multiple districts; the full scope of affected records has not been independently confirmed. The 5GB dump volume, however, is consistent with a bulk database export.
The pivot from RTKBase to billing highlights the risks of network segmentation. While GPS and survey infrastructure tools are often categorized as low-criticality operational assets because they don't control treatment processes and don't sit in SCADA environments, they receive minimal security attention. However, when those tools share network segments with customer information systems, supposedly low-risk assets provide a direct line to critical assets and data.
Related:
George V. Hulme
George V. Hulme
The takeaways, based on Dataminr’s analysis, are security lapses that experts have long warned about. These include lightweight, web-exposed operational tools deployed on internal networks without strong authentication and active monitoring, and the need for operators to know which assets and applications they manage are running on their networks, how those systems are segmented, and to regularly check whether administrative panels are accessible beyond intended users.
Late last year, the EPA's Office of Inspector General assessed 1,062 drinking water systems serving populations of 50,000 or more, and the results were alarming. Ninety-seven systems serving approximately 26.6 million people carried critical or high-risk cybersecurity vulnerabilities; another 211 systems, serving more than 82.7 million, had medium to low-risk exposures. The EPA also lacks a dedicated cybersecurity incident reporting system for water and wastewater systems, relying instead on CISA for that function.
The vulnerabilities the OIG documented include failure to change default passwords, the use of a single shared login for all staff, and failure to revoke access for former employees. "What's being described is as much a cultural issue as a technical one," John Terrill, CISO at Phosphorus Cybersecurity, said at the time of the release of the report. "The water infrastructure operators have lacked organizational oversight for some time," he continued. Budget constraints endemic to locally funded municipal utilities, combined with the complexity of securing both IT and OT environments across multi-vendor infrastructure, have left the sector chronically under-resourced in security.
The economic stakes are high. According to the U.S. Water Alliance, the report, Tapping Potential: The Economic Benefits of Investing in Water Infrastructure, puts the cost of a single nationwide day without water at $121.8 billion in lost economic output. Despite the America's Water Infrastructure Act of 2018 requiring community water systems to develop risk and resilience assessments, a May 2024 EPA enforcement alert found more than 70% of inspected systems had failed to comply.
That doesn’t position water treatment plants well when it comes to defending themselves against nation-state actors. Handala's toolkit includes custom wipers and MBR-overwriting capabilities, and the group has demonstrated a willingness to escalate from data theft to destructive operations within the same campaign. No SCADA or water treatment process disruption has been confirmed in this incident.
Dataminr's researchers note, however, that the group's pattern has involved an initial claim followed by escalated action, such as the Stryker incident, a sequencing that warrants treating the current disclosure as a potential precursor rather than a conclusion.
