Hacker breached Florida water facility to alter sodium hydroxide level, police say

The breach did not cause any harm to public health, police say.
water treatment plant
(Getty Images)

An unidentified hacker on Feb. 5 broke into the computer system of a water treatment plant for a town outside of Tampa, Florida, and temporarily changed the plant’s sodium hydroxide setting to a potentially dangerous level, local authorities said Monday.

The attacker changed the level of sodium hydroxide in the water treatment plant in the town of Oldsmar from about 100 parts per million to 11,100 parts per million, said Bob Gualtieri, the sheriff of Pinellas County, Florida. Treatment plants use sodium hydroxide to make water drinkable, but it can be unsafe for people in large quantities.

The breach did not cause any harm to public health, but it is a stark reminder of the risks that come with increasingly digitized critical infrastructure.

“This is somebody that is trying, at least it appears on the surface, to do something bad … It’s a bad actor,” Gualtieri said at a press conference. “At no time was there a significant adverse effect on the water being treated. Importantly, the public was not in danger.”


No suspects have been identified and it is unclear if the perpetrator is in the U.S. or abroad, Gualtieri said. The FBI and U.S. Secret Service are aiding the investigation, he added.

The attacker broke into the Oldsmar Water Treatment Facility’s computer system twice on Feb. 5, according to Gualtieri, taking advantage of remote access software that operators use for maintenance. Not long after the intruder changed the sodium hydroxide level, a plant operator noticed and reversed the change, according to authorities.

It would have taken 24 to 36 hours before the altered water solution entered the water supply and there were redundancies in place to prevent that, according to Gualtieri and Oldsmar Mayor Eric Seidel.

Engineers at industrial plants often used remote software to monitor plant performance, a practice that has long opened up potential avenues for hackers. The incident at Oldsmar, a town of some 15,000 people, is bound to bring such security arrangements under fresh scrutiny.

“We’ve obviously disabled the program that enabled it to happen,” Oldsmar City Manager Al Braithwaite said at the press conference. “And we are going to make some upgrades to other parts of the system to try to ensure that it doesn’t happen again.”


An FBI spokesperson said the bureau’s Tampa office is “working with the city of Oldsmar and the Pinellas County Sheriff’s Office, offering resources and assistance in the investigation of this incident.”

The cybersecurity of the water sector hasn’t traditionally gotten the same level of attention as other industrial sectors such as electricity and oil and gas.

Hackers breached a water treatment facility in Israel in April 2020 in an incident that multiple media reports blamed on Iran.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts