What data was exfiltrated during the breach by Handala?

Handala claimed to have exfiltrated 5GB of data, including residents' water bills.

Iranian Hackers Claim Breach of California Water Systems, No Operational Disruption

Q: Did Handala breach operational technology (OT) or industrial control system (ICS) in California water systems?

No, an investigation found no evidence of OT or ICS disruption.

Q: Did the breach affect SCADA systems, PLCs, pump controls, treatment systems or other OT systems?

There is no indication that Handala has acquired capabilities to disrupt these systems, even though they might have access to IT.

Handala claims to have breached water systems in Bakersfield, Visalia, and Chico, but an investigation finds no evidence of operational technology disruption.

The Iranian-linked hacking group Handala has claimed to have breached several California water systems, including those in Bakersfield, Visalia, and Chico, but an investigation by Cal Water and cybersecurity experts has found no evidence of operational technology (OT) or industrial control system (ICS) disruption.

What Happened

Handala publicly claimed responsibility for the breach on June 12, 2026, stating that it had gained access to several systems, including a customer billing database and a GPS correction server. The group published screenshots of what it said were residents' water bills and asserted that 5GB of data had been exfiltrated.

However, an independent analysis by Dataminr, as reported by SJV Water, confirmed that the breach was limited to non-critical IT systems within California water utilities. There is no evidence that OT or ICS were accessed or disrupted. The California Water Service Company (Cal Water) conducted a preliminary scan and reported no signs of compromise within its IT or water production and delivery systems.

Background and Context

The incident highlights the persistent threat posed by foreign adversaries to critical infrastructure, including the water sector. Handala's operations are designed to generate fear, uncertainty, and media attention, according to experts. The group has a record of overstating its capabilities, and its claims should be treated as a credible warning of intent and potential capability, rather than proof that it can currently shut off water supplies across American cities.

Security experts note that Handala's recent attacks have shown a flair for operational disruption, data destruction, and publicly publishing the results. However, there is no indication that they have acquired capabilities to disrupt SCADA systems, PLCs, pump controls, treatment systems or other OT systems, even though they might have access to IT.

Why It Matters to the Industry

The incident serves as a reminder of the importance of robust cybersecurity measures in the water sector. The threat posed by foreign adversaries is real and persistent, and critical infrastructure operators must be vigilant in protecting their systems from cyber threats. The breach highlights the need for regular security assessments, patching, and monitoring to prevent unauthorized access to IT and OT systems.

Experts recommend that critical infrastructure operators validate patching on internet-facing systems, enforce phishing-resistant MFA on privileged accounts, restrict internet exposure of administrative interfaces, and monitor for anomalous outbound transfers. These measures can help prevent similar incidents in the future and ensure the continued reliability and security of critical infrastructure systems.

What Comes Next

The incident is a wake-up call for critical infrastructure operators to review their cybersecurity posture and take proactive steps to protect against cyber threats. The California Water Service Company has hired cybersecurity experts, including Google's Mandiant unit, to assist with the investigation into the cybersecurity incident.

As the threat landscape continues to evolve, it is essential that critical infrastructure operators stay informed about emerging threats and best practices for cybersecurity. Regular security assessments, training, and awareness programs can help ensure that organizations are prepared to respond to cyber incidents and prevent unauthorized access to their systems.

Key Facts

The Iranian-linked hacking group Handala claimed to have breached several California water systems, including those in Bakersfield, Visalia, and Chico.
An investigation by Cal Water and cybersecurity experts found no evidence of operational technology (OT) or industrial control system (ICS) disruption.
Handala published screenshots of what it said were residents' water bills and asserted that 5GB of data had been exfiltrated.
The breach was limited to non-critical IT systems within California water utilities, including a customer billing database and a GPS correction server.
Security experts note that Handala's operations are designed to generate fear, uncertainty, and media attention, rather than actual disruption of critical infrastructure.
The incident highlights the importance of robust cybersecurity measures in the water sector and serves as a reminder of the persistent threat posed by foreign adversaries to critical infrastructure.