Florida city attacked by a hacker trying to poison its drinking water

A city employee caught the hack before it did any damage.

REUTERS/Benoit Tessier

The FBI is investigating an attempt by an individual or group of hackers to poison a city’s water supply. As reported by Reuters and the Tampa Bay Times, public officials from Oldsmar, Florida, a community located about 25 minutes north of Tampa, said someone gained unauthorized access to one of the computers in the city’s water treatment plant last Friday afternoon. An employee who was monitoring the station remotely saw the hacker take the computer’s cursor and enter the software that controls the chemical makeup of the city’s water supply. They then increased the concentration of sodium hydroxide from 100 parts per million to 11,100 parts per million.

The chemical, which is also known as lye, is used in sparing amounts to regulate the acidity of water, but anything more than trace quantities is corrosive to humans. The employee who saw the change immediately reverted the concentration of sodium hydroxide back to normal levels. Whoever was behind the intrusion, they were able to use the computer because it was configured for remote access to assist with troubleshooting.

Even if that worker had not been there to undo the hacker’s actions, officials said it would have taken more than a day before the water made its way into the city’s supply. Additionally, there were other failsafes in place to detect if the water’s pH level changed dramatically. “At no time was there a significant adverse effect on the water being treated,” Pinellas County Sheriff Bob Gualtieri said. “Importantly, the public was never in danger.” The FBI and local authorities have yet to make an arrest, though they say they have several leads. At the moment, it’s unclear if the attack originated outside of the US.

The attack comes at a time when the US is still dealing with the aftermath of the SolarWinds hack that affected more than 18,000 public and private sector organizations. President Biden’s recently passed $1.9 trillion COVID-19 Relief Plan includes more than $10 billion earmarked toward improving the country’s cybersecurity preparedness.