Latest news with #Popa
Global News
29-05-2025
- Business
- Global News
Thieves gain access to about 140,000 social insurance numbers in NS Power database
Nova Scotia Power's CEO says up to 140,000 social insurance numbers could have been stolen by cyber-thieves who recently hacked into the utility's customer records. Peter Gregg said in an interview Thursday that the privately owned utility collected the numbers from customers to authenticate their identities. 'If there are a number of John MacDonalds, it (the social insurance number) determines which one we (the utility) are talking to,' Gregg said during the interview at the Halifax headquarters of the Emera subsidiary. On May 23, Gregg said the data of about 280,000 Nova Scotia Power customers was breached in a ransomware attack — more than half of the total. Asked Thursday how many of these records contained the confidential, nine-digit social insurance numbers, Gregg replied, 'approximately half.' Cybersecurity expert Claudiu Popa questions why a utility would need to keep this kind of data about customers for customer authentication purposes. Story continues below advertisement The founder of the non-profit group KnowledgeFlow says there are less risky ways to identify customers with similar names than to store their social insurance numbers. Get breaking National news For news impacting Canada and around the world, sign up for breaking news alerts delivered directly to you when they happen. Sign up for breaking National newsletter Sign Up By providing your email address, you have read and agree to Global News' Terms and Conditions and Privacy Policy 'It clearly states on government websites that using one of a person's most confidential identifiers is not the recommended approach to identifying individuals,' he said in an interview Thursday. The federal government's website says the numbers are for work applications and government records, and it advises people not to share them unless it's legally required. It also notes that thieves can use the numbers to commit fraud, including attempting to access government benefits and tax refunds. 'There's an almost infinite number of ways that these numbers can be used in fraud,' said Popa. Gregg said that the social insurance numbers weren't required from its customers, and they offered them voluntarily. The breach of the customer records was first reported in late April, and the company later indicated the first breach was detected in mid March. Popa has said the company should by now have provided more precise information to each customer about what personal data was stolen, and given explicit warnings about potential harm. Gregg said that more details will be provided as IT staff and other cybersecurity consultants continue working to obtain the information. Story continues below advertisement 'We want to be careful to say what we know and not what we think,' he said. 'As we get deeper into the investigation and we are able to confirm details, that information will be shared with our customers.' This report by The Canadian Press was first published May 29, 2025.
Yahoo
28-05-2025
- Business
- Yahoo
Federal privacy czar starts probe into theft of customer data from Nova Scotia Power
HALIFAX — The federal privacy commissioner has launched an investigation into a ransomware attack that led to the theft of personal information belonging to 280,000 customers of Nova Scotia's electric utility. Privately owned Nova Scotia Power confirmed last week that hackers stole the data and published it on the dark web. Privacy commissioner Philippe Dufresne said in a statement Wednesday that he started the probe after receiving complaints about a security breach the utility reported in late April. 'Data breaches have surged over the past decade and this incident highlights the growing risks of cyberattacks for all organizations,' he wrote in the statement. Dufresne said he wants to make sure the utility is taking appropriate steps to deal with the breach, which the company says included disclosure of some customers' social insurance numbers. The commissioner says his investigation is looking at steps the company has taken to contain the breach, notify its customers and reduce the risk of fraud and identity theft. Nova Scotia Power says it's offering affected customers a two-year subscription for credit monitoring services through TransUnion Canada. It's also sent letters to customers informing them the stolen data may include their names, birth dates, email addresses, home addresses, customer account information, driver's licence numbers and, in some cases, bank account numbers. Some experts have criticized how the utility notified customers about the breach. According to the commission's website, federal privacy law requires notifications to be given "as soon as feasible" after a company has determined "a breach of security safeguards involving a real risk of significant harm" has occurred. The website also says the notice should include a description of the circumstances of the breach, the time it occurred, a description of the personal information taken, and a "description of the steps that the organization has taken" to reduce the risk of harm. Cybersecurity expert Claudiu Popa, CEO of Informatica Corp., questions whether these standards were met by the utility. Based on the letters he's seen sent to customers, Popa said the information does not provide much detail. "The further inadequacy was the lack of explanation of what could go wrong and what could be done with this information," he said, referring to the customer notifications. He also said the company's offer of a free, two-year subscription to TransUnion's monitoring service isn't long enough. "We should not be naive about the fact that these criminals now have a rich data set to exploit Nova Scotia victims for the foreseeable future, and that foreseeable future probably extends beyond 24 months," said Popa, author of "The Canadian Cyber Fraud Handbook." Nova Scotia Power spokeswoman Kathryn O'Neill said in an email Wednesday the company is aware the cyberattack "has been really concerning for some of our customers." "Impacted individuals have received detailed information about available resources and support," she wrote. "We continue to work with leading third-party cybersecurity experts on this complex investigation and the safe and secure restoration of our systems. We're also implementing additional safeguards to help prevent similar incidents in the future." In his statement, Dufresne said customers would be wise to sign up for credit monitoring services, and he said they should monitor their bank accounts and notify their financial institutions. This report by The Canadian Press was first published May 28, 2025. Michael Tutton, The Canadian Press Sign in to access your portfolio
