Overview
- Handala posted a 5-gigabyte proof-of-claim saying it stole customer records and internal dashboards from California Water Service and framed the intrusion as retaliation for recent US strikes in Sirik, Iran.
- Analysis by Dataminr and other firms found the dump appears to include a customer billing database with names, addresses, phone numbers, account numbers, and payment histories across multiple Cal Water districts.
- Researchers identified an internal RTKBase GNSS/NTRIP instance in the published materials and found administrative credentials and an NTRIP source password in plaintext, which they say was likely the initial access point or lateral pivot into billing systems.
- Cal Water has not publicly confirmed a breach while Dataminr says the Chico district appears in the data; no confirmed disruption to water treatment or SCADA systems has been reported so far.
- Cybersecurity firms advise treating exposed credentials as compromised, rotating passwords, taking RTKBase instances offline for audit, and enforcing strict network segmentation between field GPS tools and billing/IT systems to reduce risk to customers and operations.