Nova Scotia Power says it believes it knows who stole customer data

CBC

a day ago

The head of Nova Scotia Power says the company believes it knows who stole customer information in a recent ransomware attack.
However, CEO Peter Gregg says he can't disclose that information as the company's investigation is ongoing.
"We do have a good sense of who the threat actor is," Gregg told CBC's Information Morning Halifax on Friday morning. "I can't really get into the details of that."
Gregg said the company believes some information may have been published on the dark web — part of the internet that requires special software to access, and which cybercriminals can use to buy and sell data and other illicit materials — but that there has been no spread of the information to other sites.
The utility has said it did not give any money to the hackers as part of the ransom demand.
Nova Scotia Power announced publicly on April 28 that it was dealing with a cybersecurity incident it discovered three days earlier, on April 25. The company later said the actual hack had occurred more than a month earlier, on March 19.
About 280,000 customers have been affected by the attack — about half of the utility's total customers and more than a quarter of the province's population.
Letters distributed to affected customers say the stolen information may include the customer's name, phone number, email address, mailing address, date of birth, account history, driver's licence number, social insurance number and bank account numbers.
Gregg said if a customer has not yet received a letter, he's "fairly confident" their information was not taken.
Social insurance numbers stolen
Gregg told the CBC Nova Scotia Power still doesn't know exactly which information was taken from each customer, but that about 140,000 social insurance numbers were included in the stolen data.
The federal government says people do not have to provide their SIN to sign up for utility service, except for Hydro Quebec customers.
Gregg told Information Morning that Nova Scotia Power has used social insurance numbers as a way of authenticating customers in the past, but it will no longer do that, and it will delete social insurance numbers that are on file.
Asked why Nova Scotia Power was keeping so many social insurance numbers on file long after a customer's identity had been confirmed, Gregg said, "I don't have a good answer for you for that today.
"It's an unfortunate thing. I apologize to our customers that they're in that situation, but at this point in time we need to continue the investigation."
Gregg said the Office of the Privacy Commissioner has its own investigation taking place, and Nova Scotia Power is co-operating.
Insurance
At the time the breach was announced, Nova Scotia Power said it was not expected to affect the company's financial performance. Gregg said Friday the utility has cybersecurity insurance and he anticipates that will cover the cost of dealing with the attack.
Nova Scotia Power has offered affected customers free credit monitoring for two years with TransUnion.
Gregg said the company chose the two-year period based on consultation with cybersecurity experts and what they said were best practices.
Gregg acknowledged that "there were some bumps" early on as customers struggled to access the site and set up the monitoring service, but said those have been dealt with and the process should be smoother now.
Upcoming bills
Nova Scotia Power's billing system was affected by the ransomware attack, but Gregg says the meters were not. However, the company still needs to rebuild the links between those networks.
So, the utility will estimate customers' next bills based on the same time period from last year so that the bills don't pile up and customers aren't hit with "multi-month large bills," Gregg said.
Late fees will be waived in the meantime, he said, and the company is looking at verifying all meters before the normal ways of billing resume.
Consequences for company executives?
Asked whether Gregg's own position as CEO of Nova Scotia Power may be jeopardized by the security breach, he said, "the future of me is up to my board and leadership of Emera."
As for executive bonuses and whether they will be warranted after the incident, Gregg said that decision is out of his hands.