A surveying platform left running for 783 hours gave attackers pre positioned access to a billing database holding personal data on roughly two million Cal Water customers, according to a Dataminr assessment of data published by Iran linked group Handala.
The intrusion at California Water Service did not start where most security teams would have looked. It started with a GNSS base station: an RTKBase instance used to stream precise GPS correction data across the utility's districts, which had been running continuously for about 783 hours when attackers pivoted from it into a billing system holding personal information on roughly two million customers, according to a SecurityWeek report synthesizing threat-intelligence firm Dataminr's analysis of the incident.
That timeline matters. A 783-hour dwell time is not a smash-and-grab. It is the digital equivalent of a contractor who has been on site long enough to know which doors are unlocked, where the servers live, and which accounts carry keys. The RTKBase platform is operational-technology-adjacent, not obviously customer-facing, which is exactly why it made a useful pivot point. The customer harm, per Dataminr's reconstruction reported by SecurityWeek, landed in the billing environment rather than in drinking-water treatment.
Iran-linked group Handala claimed responsibility and published what it described as roughly 5 GB of stolen data, including a customer billing database and Cal Water's internal RTKBase application, according to SecurityWeek. Cal Water's Chico District is the only site Dataminr confirms as a victim; broader exposure across the remaining districts is alleged in the dump and not yet independently verified. Cal Water is one of the largest investor-owned water utilities in the United States, serving roughly two million customers across 100 California communities.
The personal information in the leaked database is the kind that follows customers for years. The exposed categories include names, addresses, phone numbers, account numbers, and payment histories, per the data reviewed by Dataminr and reported by SecurityWeek. Administrative credentials for the RTKBase platform and a mountpoint-level NTRIP source password also appear in the dump, which means any operator who reused those credentials for surveying or GPS-correction work should treat them as compromised regardless of whether their own district is named.
Handala's framing of the incident is worth reporting as a claim rather than adopted as a frame. The group cast the operation as retaliation for recent US actions in Iran and asserted that it had the ability to disrupt water service but chose not to. That is motive, not a safety guarantee, and the same group has shipped destructive tools in other campaigns. SecurityWeek's reporting documents win.handala, Handala Wiper, Hamsa Wiper, and an MBR-overwriting capability in Handala's toolkit, and points to the prior destructive Stryker deployment as evidence of willingness to escalate from data theft to outright wiping within a single operation.
The architectural lesson is the news here, and it generalizes beyond one utility. Any organization that runs surveying, GNSS-correction, or other operational-technology-adjacent platforms on the same network segments, identity stores, or vendor-relationship footprint as its customer-data systems has just been handed a worked example of how a long-running, pre-positioned foothold on the OT side becomes a PII incident on the IT side. The fact that the harm landed in billing rather than in chlorine dosing or pump control is not a relief. It is a warning that the lateral path exists, was traversed, and produced 5 GB of evidence that is now circulating publicly.
Two limits are worth naming up front. Dataminr's reconstruction is built from the leaked data and Handala's public claim, not from independent forensic confirmation by Cal Water. And no operational disruption to water treatment or distribution has been reported; OT or ICS tampering remains unverified. The story is real and serious, but the serious part is the customer data and the architectural foothold, not drinking-water safety.
Cal Water has not, on the record available to SecurityWeek, confirmed the breach or commented on Dataminr's specific findings. Customers in the Chico District, and potentially across the broader service area, should assume their billing and contact information is in hostile hands and watch for the credential-reset and credit-monitoring communications that typically follow a disclosure of this shape, when it arrives.