Water utility or wastewater customer-data breach
Customer billing and account data — not the treatment plant.
The scenario
Your water or wastewater customer-information system (billing, account records, service requests) is breached. The treatment plant and SCADA are not affected.
Who this is for: Utility director, IT lead, CAO.
First steps
- 1. Confirm scope: customer data only, not OTFirst hour
Network segmentation should keep customer billing and SCADA separate. Verify with your IT lead before proceeding — if SCADA is implicated, this is the wrong playbook.
- 2. Notify WaterISACFirst hour
Free for member utilities. They will help confirm scope and route to specialist resources if OT is involved.
- 3. Preserve billing system logsFirst day
Customer account access, payment data exposure, and any altered consumption records.
- 4. Pause auto-billing if billing data integrity is uncertainFirst day
Better a late bill than a wrong one — residents notice immediately and the fix is harder than the pause.
Continuity of service
- Manual meter-reading entry; paper account notes; defer cut-off notices for one cycle.
Communication
Standard breach notification, with explicit reassurance that water quality and supply are unaffected if SCADA is clean.
Regulator hand-off
- US: WaterISAC, state AG, EPA region, CISA via CIRCIA.
- Canada: provincial environment ministry, provincial privacy commissioner, CCCS.
FAQ
Stop using this playbook. Call WaterISAC's emergency line and your specialist OT response firm. Treatment plant response is outside HackFirstAid's scope — by design.