Threat intelligence firm Dataminr reported that Handala, an Iran-linked threat actor, claimed it breached California Water Service and published stolen data from the utility. The evidence released so far, however, points to a narrower compromise than the group’s public claims suggest.
Dataminr assessed that the incident involved an RTKBase/NTRIP GPS correction environment and a customer billing database. The firm said it had not confirmed access to water treatment systems, supervisory control and data acquisition (SCADA) systems, or other industrial control systems.
The exposed material allegedly included customer billing records, RTKBase administrative credentials, an NTRIP source password, and technical details from the GPS correction network. Dataminr said the incident highlights the risk posed by field-support systems that are exposed online or insufficiently separated from enterprise networks.
The Overlooked Tool at the Center of the Breach
RTKBase is an open-source platform used to run a global navigation satellite system, or GNSS, correction base station, which helps field crews obtain more precise GPS data. Utilities can use that location accuracy for infrastructure mapping, asset surveying, and other field work.
Dataminr assessed the RTKBase environment as a probable initial access vector or lateral pivot point in the breach, suggesting the GPS correction system may have helped attackers reach more sensitive data.
The exposed data reportedly included customer names, service addresses, phone numbers, account numbers, and payment histories. That information could be used for fraud, phishing, or follow-on attacks against customers or employees.
The incident also raises questions about network segmentation. RTKBase belongs to the operational support side of utility work, while billing records belong to the enterprise side. Security experts said those environments should be segmented to prevent easy movement between them.
The breach does not show confirmed access to treatment systems or distribution controls. But Dataminr and outside experts said it suggests that the boundaries between operational support tools and business systems may be weaker than intended.
A Breach Claim With a Political Message
Handala did not present the breach as ordinary data theft. The group framed it as retaliation tied to U.S.-Iran hostilities, casting a utility breach as part of a broader political conflict.
Handala also claimed it could have disrupted water service but chose not to. Dataminr’s assessment does not support that claim.
“Nothing in the published evidence supports Handala’s claim that it can shut off water in U.S. cities,” said Sean Malone, chief information security officer at BeyondTrust. “The boast about choosing to spare the water supply reads as the psychological operation itself.”
Why the Breach Still Concerns Defenders
Dataminr and outside researchers have tied Handala to hack-and-leak operations, destructive malware and wipers capable of overwriting a system’s Master Boot Record. That history affects how defenders assess the Cal Water incident. A data dump may represent the full scope of the operation, or it may provide material for later activity.
“The group has a documented history of rapidly escalating from data theft to full-scale destructive operations within the exact same campaign cycle,” said John Gallagher, Vice President at Viakoo.
What Other Utilities Should Review
For other utilities, security experts said the incident should prompt a review of overlooked field-support systems.
That includes internet-facing RTKBase/NTRIP deployments, telemetry platforms, mapping systems and other software used by field crews outside the main enterprise stack. Any exposed or shared credentials tied to those systems should be treated as compromised and rotated. Access should be restricted through protected pathways such as VPNs, zero-trust access controls, and multi-factor authentication.
The harder issue is segmentation. Field systems, billing databases, and operational technology environments need firm boundaries between them. A compromised GPS correction server should not provide a path to customer records, and a billing database should not sit within easy reach of operational support tools.
“The lesson for critical infrastructure owners and operators is in the lateral movement that took place,” said Shane Barney, chief information security officer at Keeper Security. “An internal system became a bridge to customer data because the network boundaries between them were not enforced.”
