Nova Scotia Cybersecurity Minister Colton LeBlanc says his department has identified thousands more people affected by a recent global data breach, and this week it is beginning the process of notifying the “most vulnerable” victims of the hack.
But LeBlanc told a news conference Wednesday it’s hard to give a precise estimate of how many people were affected by the breach of the MOVEit file transfer service because of the large number of individuals who had duplicate files.
After the cyberattack became public, LeBlanc said on June 6 that as many as 100,000 people in the province had their personal data stolen, such as social insurance numbers, addresses and banking information.
The minister said Wednesday an additional 13,000 active employees with regional centres for education and with the province’s francophone school board had personal data stolen, including names, addresses and social insurance numbers.
As well, hackers stole personal data from about 17,500 water and tax bill accounts with the Region of Queens Municipality in southwestern Nova Scotia, along with data from the Nova Scotia Pension Agency. The province said Halifax Water has also notified 25,000 customers that names and account numbers were a part of the data breach.
LeBlanc said the province will distribute notification letters by the end of this week to “the most vulnerable groups impacted.” They include those whose data, including photos, was leaked from the Department of Community Services. LeBlanc said the province has not yet determined if any of the stolen information has been published.
A ransomware group called Clop has claimed to be behind the cyberattack, but it said it deleted data from public bodies—something cybersecurity experts say should be treated with skepticism.
“There is no reason for a criminal enterprise to simply delete information that may have value,” Brett Callow, a threat analyst with cybersecurity company Emsisoft, said last week. Callow said the data could be sold or traded, or used for phishing—a type of email scam that entices people to share personal data.
LeBlanc told reporters the breach hit 5,800 digital folders, each containing “a number of files and records” but didn’t specify the total number of people affected, citing “the complexity of manually going through all those files.”
Deputy minister Natasha Clarke said some agencies have sent out their own notifications about the data breach, but the Department ofCybersecurity will head up the formal notification process. LeBlanc added it will likely take weeks or even months to notify everyone affected, something Liberal critic Braedon Clark bristled at.
“If you’re talking about having your social insurance number out there, or your banking information in a worst-case scenario, to not know for weeks is really concerning,” Clark told reporters following the press conference.
He said the lack of information could spark anxiety, confusion and concern among those affected. “I think giving people that information in a timely way will give them some peace of mind,” he said.
LeBlanc said the province does not plan to hold more briefings on the data breach but will provide updates via press releases and social media.
