Utility
Electricity
Nova Scotia Power's cybersecurity breach exposed SINs, bank details, and billing...
**Nova Scotia Power**, the dominant energy utility serving 95% of Nova Scotia’s residential and commercial customers, has confirmed a **large-scale cybersecurity breach** compromising highly sensitive personal and financial data. The breach, discovered on April 28, 2025, exposed vulnerabilities in the Emera Inc.-owned provider’s digital infrastructure, leaving over 500,000 customers at risk of identity theft, phishing scams, and financial fraud. Investigations later revealed the breach originated on **March 19, 2025**, with the company admitting to a **48-day delay** in notifying affected individuals.
### **Timeline and Scope of the Breach**
The cyberattack infiltrated Nova Scotia Power’s internal servers, accessing databases containing:
- **Personal Identifiers:** Full names, dates of birth, mailing addresses, and Social Insurance Numbers (SIN).
- **Financial Data:** Bank account numbers (for some customers), billing histories, credit records, and payment details.
- **Utility-Specific Information:** Service addresses, electricity consumption patterns, customer correspondence, and program participation records.
While the utility confirmed its **32,000-kilometer power grid** and energy production systems remained unaffected, the breach disrupted internal operations during containment efforts. Cybersecurity analysts estimate the stolen data could enable criminals to impersonate customers, apply for fraudulent loans, or launch targeted phishing campaigns.
### **Delayed Notification Sparks Public Outcry**
Nova Scotia Power’s admission that customers were not alerted until late May—**nearly two months post-breach**—has drawn sharp criticism. Critics argue the delay violates Canada’s *Digital Privacy Act*, which mandates prompt disclosure of data breaches posing _“significant harm.”_
_“Notifications are being mailed to impacted account holders with details on resources and support,”_ the company stated in its May 28 update. However, cybersecurity experts warn that delayed alerts heighten risks, as threat actors often exploit stolen data immediately.
### **Mitigation Measures and Customer Support**
To address concerns, Nova Scotia Power announced:
- **Two Years of Free Credit Monitoring:** Partnering with TransUnion to provide comprehensive identity theft protection.
- **Dedicated Support Hotlines:** For customers to verify if their data was compromised.
- **Phishing Awareness Campaigns:** Urging vigilance against fraudulent emails or calls impersonating the utility.
_“While there’s no evidence of misuse, we encourage customers to monitor their accounts and report suspicious activity,”_ the company emphasized.
### **Sector-Wide Implications for Critical Infrastructure**
The breach underscores growing concerns about cybersecurity in **energy utilities**, which manage vast troves of sensitive customer data alongside critical infrastructure. Nova Scotia Power, which generates **10,000 GWh annually** and serves as the province’s economic backbone, now faces scrutiny over its cybersecurity investments.
_“Utilities are prime targets for cybercriminals due to their operational and data value,”_ said Halifax-based cybersecurity analyst Mark Tynes. _“This breach should serve as a wake-up call for stricter protocols across the sector.”_
### **What Customers Should Do Now**
1. **Monitor Financial Accounts:** Flag unauthorized transactions to banks immediately.
2. **Enable Fraud Alerts:** Contact credit bureaus (Equifax, TransUnion) to lock credit files.
3. **Verify Communications:** Nova Scotia Power will never request sensitive data via email or phone.
4. **Use Provided Resources:** Enroll in TransUnion’s credit monitoring using the activation code included in mailed notices.
No ransomware group has claimed responsibility, leaving the motive unclear. However, the breadth of the stolen data—particularly SINs and bank details—creates long-term risks.
Cybersecurity firm SecureNova [warns](https://www.nspower.ca/) that **dark web markets** could monetize this information for years, necessitating perpetual vigilance.
Nova Scotia Power has yet to clarify why its intrusion detection systems failed to flag the March 19 breach earlier. Regulatory bodies, including the **Nova Scotia Utility and Review Board**, are expected to launch an independent audit of the company’s cybersecurity framework.
