Latest news with #DavidShipley
Globe and Mail
23-05-2025
- Business
- Globe and Mail
Nova Scotia Power confirms server breach was ‘sophisticated' ransomware attack
Nova Scotia Power confirmed on Friday what cybersecurity experts have suspected for weeks – that it was the victim of a ransomware attack. In an update posted to its website, the private utility said that no payment was made to the person or group behind the 'sophisticated' attack. It refused to pay the ransom, it said, after 'careful assessment of applicable sanctions laws and alignment with law enforcement guidance.' The utility's investigation had found that its servers were breached on or around March 19 and the stolen customer information included credit histories, social insurance numbers, and bank account data. The company said late last month it was dealing with a cybersecurity incident it had discovered on April 25. Cybersecurity experts have said the breach has the hallmarks of a ransomware attack – in which extortionists steal a company's data and then demand a ransom to unlock the files or prevent them from being sold. David Shipley, CEO of New Brunswick-based Beauceron Security, said the nature of the information released by Nova Scotia Power on Friday was a 'positive sign' that the company was being transparent about what happened. However, he said the utility could have gone public with the information earlier than it did. 'People would not believe the army of nerds and lawyers that descend on a company when something like this happens,' he said. 'Everything goes through this process that makes a Vatican conclave look ad hoc. Every sentence is scrutinized, particularly when you are a publicly traded company, to balance what they can say versus what they could be opening themselves up for.' He said it's telling that the company didn't pay a ransom – Nova Scotia Power likely knew the group they were dealing with. 'That's a really important clue that this entity is likely one that's been well-identified and is sanctioned by the U.S. government and or the Canadian government,' he said. Had the utility paid, he suggested, the company could have left itself open to sanctions. Shipley said the information stolen in such breaches can be published on what's known as the dark web – part of the internet that can be accessed with special software – and through peer-to-peer file sharing services. He described the Nova Scotia Power breach as a 'canary in the coal mine,' signalling that other utilities and companies are vulnerable. 'If every provincial regulator does not wake up to this right now we are risking more harm to Canadians in terms of financial fraud, but we are definitely risking the stability of our power generation,' Shipley said. 'It's on the provinces to do this and I don't think there's a damn one that's doing it well.' Meanwhile, the utility said it has contacted affected customers and given them support, including a two-year subscription to a comprehensive credit monitoring service at no cost. It has also warned customers to watch out for unsolicited communications such as messages appearing to be from Nova Scotia Power asking for personal information.
Global News
13-05-2025
- Business
- Global News
Theft of NS Power customer data is likely ransomware attack: security experts
Security experts say the theft of customer data from Nova Scotia's electric utility has the hallmarks of an extortion attempt by cybercriminals. In a news release following the April 25 data breach, the utility said it notified police about the theft and confirmed that 'certain customer personal information was accessed and taken by an unauthorized third party.' Nova Scotia Power, however, refuses to say whether it was being extorted by criminals. But cybersecurity experts have little doubt about what happened. The breach at the utility 'walks, talks, barks like a ransomware attack' or other similar forms of cyber extortion, David Shipley, CEO of New Brunswick-based Beauceron Security, said in a recent interview. Ransomware extortionists use malicious software to infiltrate a system to prevent companies from accessing files and then demand a ransom — often cryptocurrency — to unlock them. Shipley said there are also instances of 'double extortion,' cases in which cybercriminals steal data and threaten to sell it unless they are paid. Story continues below advertisement Natalia Stakhanova, the Canada research chair in security and privacy at the University of Saskatchewan, said in a recent interview it appears 'a ransomware attack happened.' She said, 'these kinds of organizations have been the target of attacks for a very long period of time. Certainly, Nova Scotia Power is not the first one.' Get breaking National news For news impacting Canada and around the world, sign up for breaking news alerts delivered directly to you when they happen. Sign up for breaking National newsletter Sign Up By providing your email address, you have read and agree to Global News' Terms and Conditions and Privacy Policy Casey Spears, Nova Scotia Power's social and digital adviser, said last week the company wasn't releasing details about the breach, adding, 'we have committed to notifying customers whose data has been affected as soon as our investigation allows.' Mark Plemmons, vice-president of intelligence operation at Dragos Inc. — a global cybersecurity firm that specializes in utilities and large industrial companies — said Tuesday his firm documented 30 cases last year of ransomware attacks against electrical utilities around the world. The Dragos annual report also documented 80 ransomware groups in 2024, compared to 50 the year before. All four experts say the attack likely involved a criminal organization attempting to make a profit, not a state-sponsored group trying to harm Canadians. Had the attack against Nova Scotia Power, a subsidiary of Emera, been directed at its infrastructure — at shutting down power plants — then that would have been a sign of the participation of a state-sponsored group, Shipley said. Plemmons, for his part, said groups who try to infiltrate the operations of utilities use 'living off the land techniques,' designed to look like legitimate activity within the network. 'Once they get in, they blend in and are very difficult to differentiate from legitimate users,' he explained. Those kind of techniques don't seem to have been used in the Nova Scotia Power attack, he said. Story continues below advertisement The difficulty in the ransomware scenario is bringing the extortion to an end, Shipley said. A recent example, he said, is the breach last December of data belonging to students and staff across Canada held in the PowerSchool system. The Toronto District School Board said this week that four months after it paid a ransom to retrieve the personal information, the board discovered that a 'threat actor' made a separate ransom demand in exchange for the same stolen data. 'So, you can't exactly take it to the bank, even if you do pay them, that they're going to delete the data,' Shipley said. The cybercriminals could also sell the information on the 'dark web' — a part of the internet accessible only through special software. 'We see all kinds of crazy things with identity theft, and it can be extraordinarily painful for individuals. The average Canadian loses about $4,000 when their identity gets hijacked,' Shipley said. Stakhanova said the intrusion highlights the need for Ottawa and provincial governments to bring in regulation requiring stricter protections of personal information held by companies and public institutions. 'As customers, we are very unprotected. We have no control over what happens with the data, our personal data, and we have no say over how the company should protect it and how the company should act in unfortunate cases like this,' she said. Rebecca Brown, a communications officer with the Nova Scotia Energy Board, said in an email that the regulator would hold a 'formal proceeding' into the breach. Story continues below advertisement 'The scope of the matter is still to be determined,' she noted, adding the review could include studying the cause of the incident and Nova Scotia Power's response, as well as the impact of the breach on the utility and ratepayers.
Yahoo
13-05-2025
- Business
- Yahoo
Theft of NS Power customer data is likely ransomware attack: security experts
HALIFAX — Security experts say the theft of customer data from Nova Scotia's electric utility has the hallmarks of an extortion attempt by cybercriminals. In a news release following the April 25 data breach, the utility said it notified police about the theft and confirmed that "certain customer personal information was accessed and taken by an unauthorized third party." Nova Scotia Power, however, refuses to say whether it was being extorted by criminals. But cybersecurity experts have little doubt about what happened. The breach at the utility "walks, talks, barks like a ransomware attack" or other similar forms of cyber extortion, David Shipley, CEO of New Brunswick-based Beauceron Security, said in a recent interview. Ransomware extortionists use malicious software to infiltrate a system to prevent companies from accessing files and then demand a ransom — often cryptocurrency — to unlock them. Shipley said there are also instances of "double extortion," cases in which cybercriminals steal data and threaten to sell it unless they are paid. Natalia Stakhanova, the Canada research chair in security and privacy at the University of Saskatchewan, said in a recent interview it appears "a ransomware attack happened." She said, "these kinds of organizations have been the target of attacks for a very long period of time. Certainly, Nova Scotia Power is not the first one." Casey Spears, Nova Scotia Power's social and digital adviser, said last week the company wasn't releasing details about the breach, adding, "we have committed to notifying customers whose data has been affected as soon as our investigation allows." Mark Plemmons, vice-president of intelligence operation at Dragos Inc. — a global cybersecurity firm that specializes in utilities and large industrial companies — said Tuesday his firm documented 30 cases last year of ransomware attacks against electrical utilities around the world. The Dragos annual report also documented 80 ransomware groups in 2024, compared to 50 the year before. All four experts say the attack likely involved a criminal organization attempting to make a profit, not a state-sponsored group trying to harm Canadians. Had the attack against Nova Scotia Power, a subsidiary of Emera, been directed at its infrastructure — at shutting down power plants — then that would have been a sign of the participation of a state-sponsored group, Shipley said. Plemmons, for his part, said groups who try to infiltrate the operations of utilities use "living off the land techniques," designed to look like legitimate activity within the network. "Once they get in, they blend in and are very difficult to differentiate from legitimate users," he explained. Those kind of techniques don't seem to have been used in the Nova Scotia Power attack, he said. The difficulty in the ransomware scenario is bringing the extortion to an end, Shipley said. A recent example, he said, is the breach last December of data belonging to students and staff across Canada held in the PowerSchool system. The Toronto District School Board said this week that four months after it paid a ransom to retrieve the personal information, the board discovered that a "threat actor" made a separate ransom demand in exchange for the same stolen data. "So, you can't exactly take it to the bank, even if you do pay them, that they're going to delete the data," Shipley said. The cybercriminals could also sell the information on the "dark web" — a part of the internet accessible only through special software. "We see all kinds of crazy things with identity theft, and it can be extraordinarily painful for individuals. The average Canadian loses about $4,000 when their identity gets hijacked," Shipley said. Stakhanova said the intrusion highlights the need for Ottawa and provincial governments to bring in regulation requiring stricter protections of personal information held by companies and public institutions. "As customers, we are very unprotected. We have no control over what happens with the data, our personal data, and we have no say over how the company should protect it and how the company should act in unfortunate cases like this," she said. Rebecca Brown, a communications officer with the Nova Scotia Energy Board, said in an email that the regulator would hold a "formal proceeding" into the breach. "The scope of the matter is still to be determined," she noted, adding the review could include studying the cause of the incident and Nova Scotia Power's response, as well as the impact of the breach on the utility and ratepayers. This report by The Canadian Press was first published May 13, 2025. Michael Tutton, The Canadian Press Error in retrieving data Sign in to access your portfolio Error in retrieving data Error in retrieving data Error in retrieving data Error in retrieving data
Yahoo
07-03-2025
- Business
- Yahoo
Cyber Champions: People-first cybersecurity – David Shipley's mission with Beauceron Security
Cyber Champions is a new monthly feature put out by the Canadian Cybersecurity Network to celebrate Canadian founders and their amazing companies. When David Shipley witnessed a hacking incident at the University of New Brunswick, he saw firsthand that cybersecurity failures often stemmed from weaknesses in people, processes and culture – not technology alone. This realization sparked his journey to found Beauceron Security, a company that aims to transform individuals from passive victims of cybercrime into active defenders. 'The root of all cyber incidents is people, process and culture. Technology alone isn't enough,' says Shipley. The name Beauceron reflects this mission. Inspired by the Beauceron sheepdog, known for its protective instincts, the company's goal is to motivate people to become defenders – cyber sheepdogs – in their digital environments. Beauceron is Shipley's first start up – talk about hitting a homer the first time up to the plate. Every founder faces a moment of crisis and for Shipley, it came early in Beauceron's journey. As the company faced mounting pressures and challenges, Shipley realized the importance of emotional resilience and the need to seek advice. 'Building emotional resilience…you really do have to take care of yourself and put your mask on first,' he says. By adjusting strategies and leaning on trusted advisors, Shipley guided Beauceron through difficult times, emerging with a stronger focus on people and culture as the foundation of cybersecurity success. Beauceron was founded to address a critical challenge: how to motivate individuals to make better security choices without resorting to fear-based training or compliance-driven programs. 'We were trying to solve how to motivate people to make good choices about technology so they can reduce their cyber risk and thrive in a digital world,' Shipley says. Instead of treating people as the 'weakest link,' Beauceron's approach empowers them to become active participants in their organization's cybersecurity efforts. Shipley believes that diverse backgrounds and skillsets are vital for success in cybersecurity. His advice for those trying to break into the field? Focus on critical thinking, communication and understanding human behavior. 'You don't need to be a programmer or a deep tech person to lead in cybersecurity,' he says. 'Critical thinking, psychology and the ability to ask fundamental questions are just as important.' Shipley's journey is proof that leadership in cybersecurity can come from unexpected places – and that passion and curiosity are often more valuable than technical expertise alone. 'The biggest cybersecurity myth that drives me crazy is that you have to be a programmer or deep tech person to hold a leadership role in cyber,' Shipley says. With a background in liberal arts and a fascination for psychology, Shipley built a multi-million-dollar cybersecurity company focused on empowering people, not just deploying technology. Shipley believes there is a significant opportunity to support Canadian innovation in the cybersecurity space. He advocates for investing in homegrown cyber solutions and service providers to develop skills and resiliency within Canada. 'We absolutely should be investing in Canada first,' he says. 'You cannot be a sovereign country without a cyber defense industrial base.' Shipley warns against simply subcontracting cyber defense to big American brands, emphasizing that a sovereign country needs its own cyber defense capabilities. Despite the challenges of being a startup, Beauceron has reached significant milestones, including: Achieving $5 million in annual recurring revenue. Serving 1,200 clients and a million users. Creating 48 Canadian jobs and making a meaningful impact on the cybersecurity landscape. When it comes to his own cybersecurity habits, Shipley takes a proactive approach. While he didn't specify a single 'paranoid' behavior, his philosophy centers around reducing risk through awareness and responsible decision-making. 'Ninety-five per cent of people know what cybersecurity is and want to do the right thing. It's not a knowledge issue – it's about applying that knowledge and caring about the issue.' People, process, and culture: The foundation of cybersecurity success lies in human factors, not just technology. Motivation over compliance: Engaging and empowering individuals leads to better security choices. Emotional resilience: Founders must prioritize self-care and adaptability to navigate the challenges of startup life. Diverse skillsets: A range of backgrounds can drive innovation and effective leadership in cybersecurity. Support local innovation: Investing in Canadian cybersecurity companies is crucial for national security and growth. Shipley's journey with Beauceron exemplifies a human-centric approach to cybersecurity – one where empathy, motivation and diverse perspectives drive meaningful change in the digital world. Beauceron shows how a Canadian company can grow and scale to incredible heights, proving that people, not just technology, are the key to cybersecurity success. Beauceron Security and David Shipley can be reached at: This section is powered by Revenue Dynamix. Revenue Dynamix provides innovative marketing solutions designed to help IT professionals and businesses thrive in the Canadian market, offering insights and strategies that drive growth and success across the enterprise IT spectrum. Sign in to access your portfolio
Yahoo
28-02-2025
- Business
- Yahoo
'An undemocratic move.' Former WaPo Chief Marty Baron on Bezos moves at The Post
Washington Post opinion editor David Shipley has resigned after the paper's owner, Jeff Bezos, overhauled the section to focus on "personal liberties and free markets." Marty Baron, the former executive editor for The Washington Post, reacts to Bezos' decision on The Eleventh Hour.
