3 days ago
Some customers say data appeared on dark web after Nova Scotia Power breach
Some Nova Scotians say they've received disturbing notifications from credit monitoring services alerting them that their personal data is now circulating on the dark web – and they believe it's linked to the recent cybersecurity breach at Nova Scotia Power.
The dark web is a hidden part of the internet that requires special software to access. While not all activity there is illegal, it is commonly used by criminals to buy and sell stolen personal information, including names, addresses, banking details and social insurance numbers (SIN).
Nov Scotia Power confirmed earlier this month it experienced a cyberattack involving a third-party vendor. The utility, owned by Emera Inc., said hackers may have accessed sensitive customer information, and about 140,000 SINs may have been taken, according to the company's CEO.
Cybersecurity expert Claudio Popa said the incident is troubling on multiple levels, particularly because it follows another major data breach in Nova Scotia less than a year ago.
In May 2023, the MOVEit file transfer software breach compromised data belonging to more than 100,000 people across the province.
'I immediately wondered what the overlap would be and whether an opportunistic cybercriminal would be able to aggregate the data from the two breaches to build more details profiles,' said Popa. 'People must be quite sensitized to having their identities stolen and abused as a result of events beyond their control.'
Popa said the breach at Nova Scotia Power exposes serious lapses in data handling, starting with why the utility collected SINs in the first place and why that information was not encrypted.
'In Canada, the SIN is central to people's identities. Utilities generally don't have a reason to collect them, so they should not,' he said. 'It's clear they were not securely stored. Otherwise, they would have been encrypted. We still don't know why were being collected in the first place.'
Popa said Nova Scotia Power failed to seize a critical opportunity to rebuild trust with customers – namely by being transparent about the scope of the breach and the ransom demand it reportedly received from the attackers.
'The first should have been telling customers immediately when they were asked to pay a ransom,' Popa said. 'When organizations are upfront, people instinctively offer goodwill but when communication is delayed or vague, it leads to erosion of trust.'
The utility has offered customers two years of optional credit monitoring through TransUnion, but Popa said that's insufficient given the nature of the data that was potentially exposed.
'All customers should be getting 10 years of credit monitoring, automatically,' he said. 'This is immutable identity data. You can't change your SIN. The risk doesn't expire in two years.'
Popa recommends Nova Scotia Power take three immediate steps:
explain the risks tied to the specific data that was stolen
advise customers to report any suspicious activity to the Canadian Anti-Fraud Centre
provide access to independent resources such as those from the federal privacy commissioner.
He also noted people who receive dark web alerts from Equifax or TransUnion may not always see specifics. The alerts typically signal that some form of personal information – not necessarily SINs – is circulating in cybercrime marketplace.
'It would be your email address, home address, or phone number. Criminals buy multiple data sets and piece them together to impersonate you more convincingly,' Popa said.
As the investigation continues, Popa emphasized that cybersecurity breaches are no longer rare events and companies should be better prepared.
'There's no substitute for conducting breach response simulations,' he said. 'You don't want your team thinking about how to respond for the first time while the breach is happening. These are learning opportunities, and companies need to treat them that way.'
NS Power
The Nova Scotia Power building is pictured in downtown Halifax. (Jonathan MacInnis/CTV Atlantic)
For more Nova Scotia news, visit our dedicated provincial page
