Itron discloses a cyberattack
SEC filing says intruder accessed some systems in mid-April, critical utility tech runs on quiet vendor networks until it does not
Images
Zack Whittaker
techcrunch.com
Itron says it discovered an intruder in its systems in mid-April and has since expelled the attacker, according to a legally required filing to the US Securities and Exchange Commission reported by TechCrunch. The company did not say who detected the intrusion or how it was discovered, and it has not described the attack type—whether ransomware, data theft, or a quieter compromise. Itron also said it has seen no further signs of unauthorized access since removing the intruder.
The company’s footprint makes the disclosure more consequential than the usual corporate breach notice. Itron supplies internet-connected utility meters and related software used to manage electricity, gas and water consumption, and it says its technology reaches more than 110 million homes and businesses. It operates in more than 100 countries and sells to utilities, cities and municipalities—customers that tend to buy on long cycles and then run systems for years. That creates a familiar security problem: the vendor’s internal IT network may be separate from customer deployments, but engineering tooling, support channels and update mechanisms can become bridges when an attacker is patient.
Itron’s filing draws a careful boundary, saying it did not identify unauthorized activity in the “customer-hosted portion of its systems.” That phrasing is narrower than “customer data was not accessed,” and it leaves open what happened inside the company’s own environment: email, internal documents, source code repositories, build systems, or credentials that could later be reused. The company says it activated contingency plans and data backups and that operations have continued “in all material respects,” language that typically signals limited immediate disruption rather than a clean bill of health.
The disclosure route is also telling. Companies often learn about intrusions from third parties—law enforcement, partners, threat-intel firms, or a ransom note—and the filing’s passive “was notified” avoids committing to any of those. Itron says it has informed law enforcement and warned it may make additional regulatory filings, including those triggered by state data-breach notification laws if personal information is later found to be exposed.
Itron is based in Liberty Lake in Washington state. Its SEC filing is public; the technical details of how an attacker entered a company that helps run essential metering infrastructure are not.