The Nova Scotia Power building is pictured in downtown Halifax. Image: CTV Atlantic
All Customers Could Be at Risk. Nova Scotia Power says a cyberattack last spring may have affected every customer. The utility shared a detailed report outlining the timeline and impact of the breach.
The report was submitted at the request of the Nova Scotia Energy Board. The board is investigating the March attack and had posed several questions to NS Power. While responses were due in mid-August, the board granted an extension to early September.
“These information requests reflect concerns expressed by NS Power’s customers about misuse of personal data,” the board said in a previous letter. Customers had asked about risks from the breach and difficulties with credit monitoring services provided by NS Power.
Extent of the Breach
According to the report, roughly 277,000 customers were notified of possible exposure. However, NS Power acknowledges the investigation is ongoing. “It remains possible that all of the Company’s customers may have been impacted by the cyberattack,” the report says. The utility plans to notify additional active customers as necessary.
The breach also affected billing. Since June, NS Power has issued estimated bills based on average energy usage from the previous year.
“Some bills appeared larger than expected for a variety of reasons,” the report notes. “Payments may not have been processed, some customers received bills close together as we caught up after the pause, and estimated bills may not reflect changes made at properties. Customers will never pay for power they did not use. Any over- or under-payments will be corrected in future bills. No late charges or penalties have been applied since the incident.”
The Timeline of the Attack
NS Power calls the incident a “sophisticated and coordinated cyberattack.” It occurred around March 19 but was not detected until April 25, when certain applications stopped functioning.
The investigation revealed unauthorized access to parts of NS Power’s IT network and servers supporting business applications. By May 1, the company confirmed that customer information had been compromised. Customers were promptly informed and warned to remain vigilant against scams and unsolicited messages.
Some stolen data appeared on the dark web, a platform often used for trading stolen information. In response, NS Power has committed to deleting all customer social insurance numbers from its files. Meanwhile, the Office of the Privacy Commissioner of Canada launched an investigation on May 28.
Credit Monitoring for Customers
NS Power is offering impacted customers a free, five-year credit monitoring service through TransUnion. The service includes dark web monitoring, unlimited online access, and up to $1 million in identity theft expense coverage.
While some customers faced challenges signing up online, the company updated its website with guidance and held over 30 in-person sessions. “The vast majority of individuals were able to complete enrollment online within minutes using their activation code,” the report states.
