Nova Scotia Power's cybersecurity breach exposed SINs, bank details, and billing data. 500k customers impacted. Get free credit monitoring & protection steps.

Continue reading
Nova Scotia Power, the dominant energy utility serving 95% of Nova Scotia’s residential and commercial customers, has confirmed a large-scale cybersecurity breach compromising highly sensitive personal and financial data. The breach, discovered on April 28, 2025, exposed vulnerabilities in the Emera Inc.-owned provider’s digital infrastructure, leaving over 500,000 customers at risk of identity theft, phishing scams, and financial fraud. Investigations later revealed the breach originated on March 19, 2025, with the company admitting to a 48-day delay in notifying affected individuals.
The cyberattack infiltrated Nova Scotia Power’s internal servers, accessing databases containing:
While the utility confirmed its 32,000-kilometer power grid and energy production systems remained unaffected, the breach disrupted internal operations during containment efforts. Cybersecurity analysts estimate the stolen data could enable criminals to impersonate customers, apply for fraudulent loans, or launch targeted phishing campaigns.
Nova Scotia Power’s admission that customers were not alerted until late May—nearly two months post-breach—has drawn sharp criticism. Critics argue the delay violates Canada’s Digital Privacy Act, which mandates prompt disclosure of data breaches posing _“significant harm.”_
_“Notifications are being mailed to impacted account holders with details on resources and support,”_ the company stated in its May 28 update. However, cybersecurity experts warn that delayed alerts heighten risks, as threat actors often exploit stolen data immediately.
To address concerns, Nova Scotia Power announced:
_“While there’s no evidence of misuse, we encourage customers to monitor their accounts and report suspicious activity,”_ the company emphasized.
The breach underscores growing concerns about cybersecurity in energy utilities, which manage vast troves of sensitive customer data alongside critical infrastructure. Nova Scotia Power, which generates 10,000 GWh annually and serves as the province’s economic backbone, now faces scrutiny over its cybersecurity investments.
_“Utilities are prime targets for cybercriminals due to their operational and data value,”_ said Halifax-based cybersecurity analyst Mark Tynes. _“This breach should serve as a wake-up call for stricter protocols across the sector.”_
No ransomware group has claimed responsibility, leaving the motive unclear. However, the breadth of the stolen data—particularly SINs and bank details—creates long-term risks.
Cybersecurity firm SecureNova warns that dark web markets could monetize this information for years, necessitating perpetual vigilance.
Nova Scotia Power has yet to clarify why its intrusion detection systems failed to flag the March 19 breach earlier. Regulatory bodies, including the Nova Scotia Utility and Review Board, are expected to launch an independent audit of the company’s cybersecurity framework.

U.S. Army recruiting pages hijacked to display fake 404 errors reading ‘Kurdistan’, exploiting a third-party tool and exposing .mil web security gaps.