Nova Scotia Power Data Breach Exposes Sensitive Information of 900,000 Customers, Sparks Urgent Cybersecurity Overhaul
A significant cybersecurity incident has unfolded at Nova Scotia Power, where a data breach has compromised the sensitive information of over 900,000 current and former customers. This breach has prompted the utility provider to enhance its cybersecurity and privacy measures, raising critical questions about data management practices across organizations.
The breach was identified on April 25, 2025, but it was not a sudden occurrence. Instead, it developed over several weeks, illustrating how cybercriminals can infiltrate systems undetected.
Nova Scotia Power Data Breach Linked to Malware Infection
According to details shared in a compliance letter, the breach began around March 19, 2025, when an employee accessed a compromised website that was infected with “SocGholish” malware. This action led to the installation of malware that established a foothold within the company’s network.
Following this initial breach, attackers escalated their access between April 8 and April 22. They moved laterally across systems using domain administrator privileges, conducted internal reconnaissance, and harvested credentials. This phase is often underestimated in cybersecurity incidents, yet it is crucial for attackers to understand the layout of the network.
By the time the data breach was detected, the attackers had already spent considerable time navigating the network.
Data Exfiltration and Ransomware Deployment
The final phase of the breach occurred between April 23 and April 25, when the attackers exfiltrated data from both on-premises systems and cloud storage. Shortly thereafter, ransomware was deployed, leading to the destruction of backups and the disruption of multiple applications.
The breach was only discovered when employees reported system disruptions, indicating that the attackers had already reached a damaging stage. Subsequently, the attackers contacted Nova Scotia Power through a Tor-based dark web page, providing proof of access to sensitive customer data. However, there is no confirmed evidence that this data has been publicly released or sold.
In alignment with law enforcement guidance, Nova Scotia Power opted not to pay the ransom.
Scope of the Nova Scotia Power Data Breach
The breach has affected approximately 375,000 current customers and 540,000 former customers. The compromised data includes:
- Names, phone numbers, and email addresses
- Mailing addresses and dates of birth
- Account and billing history, including bank details
- Driver’s license numbers and Social Insurance Numbers (SINs)
This level of exposure significantly heightens the risk of identity theft and financial fraud, marking the Nova Scotia Power data breach as particularly serious.
Delayed Notifications and Customer Concerns
The handling of the breach has drawn scrutiny, with the Office of the Privacy Commissioner of Canada receiving multiple complaints regarding delayed notifications. The use of mailed letters for communication slowed the process of informing affected individuals.
Concerns have also been raised about the collection and storage of SINs, which were part of the compromised dataset. While Nova Scotia Power informed the public on April 28 and notified regulators by May 1, direct notifications to customers commenced weeks later, with additional affected individuals identified months after the initial disclosure.
This staggered communication underscores the complexities involved in breach investigations and highlights the necessity for timely transparency.
Response and Security Commitments
In the aftermath of the breach, Nova Scotia Power took immediate steps to contain the incident. This included isolating affected systems, resetting compromised credentials, and collaborating with third-party cybersecurity experts to investigate and remediate the breach.
Customers were offered credit monitoring and identity protection services, initially for 24 months and later extended to five years for all affected individuals.
More importantly, Nova Scotia Power has committed to enhancing its security measures under a compliance agreement. The Office of the Privacy Commissioner will continue to monitor the company’s progress until all commitments are fulfilled.
Philippe Dufresne, the Privacy Commissioner, stated, “I welcome this commitment by Nova Scotia Power to ensure stronger protections for the personal information of its customers. This privacy breach highlights the significant risks of cyberattacks to individuals and companies. Strong, proactive data protection, including robust safeguards, must be prioritized by all organizations in this evolving landscape.”
For further details, refer to the publicly available reporting from The Cyber Express.
For the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East: Middle East
