Nova Scotia Power Data Breach

Summary

Nova Scotia Power suffered a ransomware attack impacting 280,000 customers. Sensitive data such as names, addresses, and even social insurance numbers were compromised. The Privacy Commissioner of Canada launched an investigation, emphasizing the growing cyberattack risks for all organizations.

Dont let data threats slow you downTrueNAS offers enterprise-level protection.

** Main Story**

A major data breach recently struck Nova Scotia Power, a Canadian electric utility, compromising the personal information of roughly 280,000 customers. This incident, confirmed by the company as a ransomware attack, underscores the increasing vulnerability of organizations to cyber threats in today’s digital landscape. The fallout includes investigations, credit monitoring services for affected individuals, and a renewed focus on cybersecurity practices.

The Breach and Its Impact

The ransomware attack, which occurred on March 19, 2025, went undetected for over a month before Nova Scotia Power noticed unusual network activity on April 25, 2025. The stolen data encompassed a range of sensitive information, including names, dates of birth, phone numbers, email and physical addresses, power consumption details, service requests, payment and billing histories, and driver’s license numbers. Alarmingly, approximately half of those affected, around 140,000 customers, also had their Social Insurance Numbers (SINs) compromised, as the company used SINs for identity verification purposes. For some customers enrolled in pre-authorized payments, bank account numbers were also exposed.

Response and Investigation

Upon discovery, Nova Scotia Power activated its incident response protocols, engaged cybersecurity experts, and collaborated with law enforcement and regulators. While the company has confirmed it did not pay the ransom demanded by the hackers, they did acknowledge that the perpetrators have published some of the stolen data online. Though Nova Scotia Power stated there’s no current evidence of data misuse as of June 13, 2025, they are offering affected customers a two-year subscription to a credit monitoring service through TransUnion. Customers are also encouraged to take proactive steps such as changing passwords, monitoring their accounts, and reporting any suspicious activity to their financial institutions.

Official Scrutiny and Repercussions

The data breach prompted an investigation by the Office of the Privacy Commissioner of Canada to determine if Nova Scotia Power took appropriate steps to address the incident and safeguard customer information. This investigation, conducted under the Personal Information Protection and Electronic Documents Act (PIPEDA), will examine the company’s breach containment, notification process, and risk mitigation measures. The Nova Scotia Energy Board also launched its own inquiry into the cyberattack, raising concerns about the significant amount of personal information accessed and the delay between the breach and its discovery. The Board will further review Nova Scotia Power’s cybersecurity practices before, during, and after the incident. Interestingly, just weeks after the ransomware attack, the Energy Board approved a $1.8 million cybersecurity improvement project for Nova Scotia Power, a project the utility had applied for prior to the incident.

Looking Ahead: Cybersecurity in a Vulnerable World

The Nova Scotia Power data breach serves as a stark reminder of the escalating threat of cyberattacks faced by all organizations. The utility’s CEO, Peter Gregg, himself a victim of the breach, acknowledged the increasing sophistication of cybercriminals and the need for continuous improvement in defensive measures. This incident highlights the critical importance of prioritizing information security, implementing robust cybersecurity protocols, and maintaining vigilance against evolving cyber threats. The ongoing investigations will likely shed more light on the specifics of the attack and inform future preventative measures.