The Puerto Rico Aqueduct and Sewer Authority (PRASA) is investigating a cyberattack that occurred last week. The attack, which was disclosed on March 19, gave threat actors access to customer and employee information.
While the agency has yet to reveal the name of the group behind the attack, the Vice Society ransomware gang added the authority to the list of victims on its Tor leak site.
The agency quickly activated its incident response procedure after detecting the attack and has been working with the relevant authorities, including the FBI and CISA.
Although customer and employee information was compromised, operations at the critical infrastructure managed by the agency in Puerto Rico were not impacted. The agency is going to notify impacted customers and employees via breach notification letters and recommends that they change their passwords.
This attack highlights the increasing risk of cyberattacks against critical infrastructures, including drinking water systems, which are vulnerable to both cybercriminal organizations and nation-state actors.
In response to this risk, the Biden administration has made it mandatory for states to conduct cybersecurity audits of public water systems. Recent audits show that many water systems lack proper defense, including cybersecurity practices, and rely on voluntary measures with poor progress.
