5GB Cal Water Hack Leak Puts 2M Customers on Alert

Handala claimed it spared Cal Water customers from a water disruption, but still leaked 5GB of alleged stolen data tied to the utility’s customers and internal systems.

The Iran-linked group said this week it hacked California Water Service, known as Cal Water, and published data that includes customer personal information and credentials for the RTKBase platform, according to SecurityWeek. Cal Water has not publicly acknowledged the intrusion, and the level of access Handala actually had remains unconfirmed.

Iran-linked Handala says it breached Cal Water and leaked 5GB of files

Handala framed the alleged breach as retaliation for recent US actions in Iran. In its post, the group claimed it had the ability to disrupt water access but chose not to.

That claim is the flashpoint. A data leak is already serious. A credible path into systems adjacent to utility operations would be worse. So far, SecurityWeek reports that OT/ICS disruption has not been confirmed.

Dataminr, the threat intelligence company cited in the report, assessed that Handala likely accessed Cal Water’s RTKBase instance, a GNSS base station platform, before moving laterally to a billing system. GNSS base stations provide correction data for satellite positioning. NTRIP, also referenced in the leak, is a protocol used to stream that correction data.

Cal Water is one of the largest investor-owned water utilities in the US, serving roughly two million customers across 100 communities in California. Dataminr said Cal Water’s Chico District has been confirmed as a victim of the attack.

The leaked data appears to include a bulk customer billing database export. SecurityWeek reported that the dump contains names, addresses, phone numbers, account numbers, payment histories, administrative credentials for RTKBase, and a mountpoint-level NTRIP source password.

“The RTKBase instance had been operational for approximately 783 continuous hours at the time of access, with GPS correction data streamed across all seven identified district mountpoints,” Dataminr said.

That detail matters because it points to a live system, not just an abandoned credential set. It doesn’t prove water service was at risk. It does suggest investigators need to understand whether the RTKBase environment was isolated cleanly from billing and other internal systems.

Leaked customer data and RTKBase credentials raise utility security concerns

The exposed customer records create the most immediate risk. Names, addresses, phone numbers, account numbers, and payment histories can be used to build convincing fraud attempts.

XOOMAR analysis: The danger here is not limited to the data dump itself. When attackers publish customer billing records, follow-on abuse can become more targeted. Customers may receive messages that look more credible because the sender can reference real account or payment details. That inference is grounded in the reported data types, not in any confirmed Cal Water customer fraud campaign.

The credential leak is the sharper technical problem. Administrative RTKBase credentials and an NTRIP source password can give investigators a clue about how the attackers moved, or how far they might have been able to move.

Dataminr separated the environments in its assessment:

“The billing system and RTKBase platform represent distinct infrastructure. The RTKBase network is assessed as a probable initial access vector or lateral pivot point that enabled the actor to reach the billing environment,” the company said.

That sentence is doing a lot of work. It says Dataminr does not treat RTKBase and billing as the same system. It also says the RTKBase environment may have been the bridge.

Handala’s profile raises the stakes. SecurityWeek reported that the US has linked the group to Iran’s Ministry of Intelligence and Security, and that it is also tracked as Handala Hack, Banished Kitten, Dune, Hanzalah Hacking Group, Homeland Justice, Red Sandstorm, Storm-0842, and Void Manticore.

The group is known for data theft, wiper malware, destructive activity, and psychological operations, according to the source material. Dataminr specifically warned that Handala’s toolkit includes custom wipers and MBR-overwriting capabilities.

For readers following breach-response patterns, XOOMAR has tracked adjacent security pressure points in 13.5GB Tchap Data Breach Puts French Chats at Risk and Langflow Flaw Lets Hackers Write Files on AI Servers. The shared lesson is narrow but practical: exposed data and exposed access paths have to be handled as separate response tracks.

Cal Water customers now wait for breach confirmation, notices, and password resets

The next move belongs to Cal Water. SecurityWeek said it emailed the company for comment and would update its report if Cal Water responded.

Until the utility speaks publicly, several core questions remain open:

• Acknowledgment: Has Cal Water confirmed the intrusion internally or to customers?
• Scope: Is the confirmed victim limited to the Chico District, or did other districts have exposed systems?
• Credential status: Were the RTKBase and NTRIP credentials active when leaked?
• Access path: Did Handala enter through RTKBase, billing, or another system entirely?
• Containment: Has the RTKBase instance been taken offline, audited, or segmented from billing systems?

Dataminr’s recommended response is blunt. It said exposed credentials should be treated as compromised and rotated immediately. It also said the RTKBase instance should be taken offline and audited, while network segmentation and billing-system access logs should be reviewed.

Customers don’t have enough confirmed detail to know whether their own records are in the dump. Still, practical caution is warranted. Messages claiming to come from Cal Water should be verified through official channels, especially if they reference account details or request payment changes. Reused passwords tied to utility accounts should be changed.

The larger risk is follow-on action. Dataminr warned that Handala often makes an initial claim before escalating.

“Handala’s operational pattern frequently involves an initial claim followed by escalated action. Security teams should treat the current disclosure as a possible precursor to a destructive follow-on and posture accordingly,” Dataminr said.

That is the watch item now: whether this remains a data-theft and exposure incident, or whether the leaked credentials and claimed access become part of a second phase. For a water provider, even an unconfirmed disruption claim can damage trust. A confirmed lateral path between technical platforms and billing systems would raise harder questions about segmentation, monitoring, and how quickly Cal Water can prove the attacker is out.

Impact Analysis

• The alleged breach exposed sensitive customer and internal utility data tied to a major California water provider.
• Claims of access near operational systems raise concern even though OT/ICS disruption has not been confirmed.
• The incident highlights how geopolitical cyber activity can target critical infrastructure providers.