An investigation has been launched by Ottawa’s privacy watchdog into a ransomware attack that resulted in the theft of personal information from 280,000 customers of Nova Scotia’s electric utility.
Nova Scotia Power confirmed last week that hackers had stolen the data and released it on the dark web, impacting roughly half of its customers.
The privately owned utility said a variety of customer information ranging from phone numbers and email addresses to driver’s licence, social insurance, and bank account numbers may have been compromised in the cyberattack.
Federal Privacy Commissioner Philippe Dufresne has since announced the launch of an inquiry into the matter after receiving complaints about the security breach, which was reported by the utility company in late April.
“We are actively engaging with the organization to ensure that it is taking appropriate steps to respond to the incident, and my immediate focus is on ensuring that the company is effectively addressing the breach and protecting the personal information of its customers,” Dufresne said in a May 28 statement. “This includes breach containment, notification and measures to reduce risks to those affected.”
Nova Scotia Power has said it’s offering all impacted customers a two-year subscription for credit monitoring services through TransUnion Canada.
Those who were affected by the breach should consider registering for the service to lessen the likelihood of fraud, Dufresne said. He also recommended that victims change account passwords, keep an eye on other accounts, and alert their financial institution.
Hackers don’t always use personal data obtained in a breach immediately, the commissioner noted, and warned victims against assuming their information is safe just because it hasn’t been used within the first few days of a data breach.
“Data breaches have surged over the past decade and this incident highlights the growing risks of cyberattacks for all organizations,” Dufresne said. “Prioritizing information security is essential to respond to a threat environment that is continuously evolving.”
Nova Scotia Power and parent company Emera Inc. reported the cybersecurity incident on April 25 following the detection of “unauthorized” activity on their network.
The companies activated an incident response immediately after identifying “the external threat” to isolate and control the affected systems and avert any additional attacks, Nova Scotia Power said. The firms have since engaged third-party cybersecurity experts to look into the attack and have notified law enforcement officials.
The utility firm mailed notifications to impacted customers last week.
“We remain sincerely sorry that this issue has occurred,” Nova Scotia Power said. “Protecting the privacy and security of information held by Nova Scotia Power is something we take very seriously.”
The Canadian Press and Olivia Gomm contributed to this report.







