close
close

Multiple Law Firms Filed Lawsuit After Water Company Data Breach

Multiple Law Firms Filed Lawsuit After Water Company Data Breach

A New Jersey utility company has faced nine class-action lawsuits since disclosing that it was the target of a data breach.

The lawsuits were filed by Brown LLC of Jersey City; Shub & Johns of Conshohocken, Pennsylvania; Federman & Sherwood of Oklahoma City, Oklahoma; Ahdoot & Wolfson, Radnor, Pennsylvania; Kopelowitz Ostrow Ferguson Weiselberg Gilbert of Bala Cynwyd, Pennsylvania; San Juan, Puerto Rico Laukaitis Act; Chimicles Schwartz Kriner and Donaldson-Smith of Haverford, Pennsylvania; Carella Byrne Cecchi Brody and Agnello of Roseland, New Jersey; and George Feldman McDonald of New York.

The defendant, American Water Works Co. of Camden, New Jersey, announced in an Oct. 3 regulatory filing with the U.S. Securities and Exchange Commission that its networks and systems were compromised by a cybersecurity incident.

American Water posted a notice of the data breach on its website on October 7. The notification informed customers of the ongoing potential harm to customer data; steps to be taken to address the data breach, including shutting down the Company’s online payment billing and payment portal systems; and work is being done following the data breach.

But days later, on October 11, the first lawsuit stemming from the announcement was filed.

The latest case came on October 22.

Ransomware. Photo: RareStock via Adobe Stock Photo: RareStock via Adobe Stock

The number of people affected by the data breach is unknown, but American Water serves more than 14 million people in 14 states, according to the lawsuits. American Water’s website states that it is the largest regulated water and wastewater utilities company in the United States.

It is unknown who was behind the American Water cyber attack, but other water utilities were breached by Russian, Chinese and Iranian-backed cyber attackers in 2023 and 2024. TechTarget.com.

According to one of the lawsuits, American Water “failed to adequately protect plaintiff’s and class members’ PII (personally identifiable information) or even failed to encrypt or redact this highly sensitive information.” Karwoski – American Water Works. “This unencrypted, unorganized PII was compromised by the defendant’s negligent and/or careless acts and omissions and its utter failure to protect its customers’ sensitive data. Hackers targeted and obtained plaintiff’s and class members’ personal information because of its value in exploiting and stealing plaintiff’s and class members’ identities. “The current and ongoing risk to data breach victims will continue throughout their lives.”

Another one of the suits, Menichini / American Water WorksIt alleged that the defendant breached its obligations to the plaintiff and class members and were negligent in failing to audit, monitor or ensure the integrity of their data security practices.

According to the proposed class action, the company’s alleged illegal conduct includes: failing to adequately vet its vendors to ensure they maintain adequate data security practices; failure to maintain an adequate data security system to reduce the risk of data breaches and cyber attacks; inadequate protection of private personal information of customers and other relevant persons; and its failure to properly monitor its own data security systems against existing intrusions.

American Water’s attorney has not yet joined any lawsuits. American Water cannot comment on pending litigation, said Ruben Rodriguez, the company’s senior manager of external communications.

These actions were uncovered by Law.com Radar, which provides AI-enhanced case summaries and daily case reports from more than 2,200 state and federal courts. Click here to get started and be among the first to move based on opportunities in your region, practice area or client industry.