Latest news with #data breach
CTV News
a day ago
- Business
- CTV News
Some customers say data appeared on dark web after Nova Scotia Power breach
Some Nova Scotians say they've received disturbing notifications from credit monitoring services alerting them that their personal data is now circulating on the dark web – and they believe it's linked to the recent cybersecurity breach at Nova Scotia Power. The dark web is a hidden part of the internet that requires special software to access. While not all activity there is illegal, it is commonly used by criminals to buy and sell stolen personal information, including names, addresses, banking details and social insurance numbers (SIN). Nov Scotia Power confirmed earlier this month it experienced a cyberattack involving a third-party vendor. The utility, owned by Emera Inc., said hackers may have accessed sensitive customer information, and about 140,000 SINs may have been taken, according to the company's CEO. Cybersecurity expert Claudio Popa said the incident is troubling on multiple levels, particularly because it follows another major data breach in Nova Scotia less than a year ago. In May 2023, the MOVEit file transfer software breach compromised data belonging to more than 100,000 people across the province. 'I immediately wondered what the overlap would be and whether an opportunistic cybercriminal would be able to aggregate the data from the two breaches to build more details profiles,' said Popa. 'People must be quite sensitized to having their identities stolen and abused as a result of events beyond their control.' Popa said the breach at Nova Scotia Power exposes serious lapses in data handling, starting with why the utility collected SINs in the first place and why that information was not encrypted. 'In Canada, the SIN is central to people's identities. Utilities generally don't have a reason to collect them, so they should not,' he said. 'It's clear they were not securely stored. Otherwise, they would have been encrypted. We still don't know why were being collected in the first place.' Popa said Nova Scotia Power failed to seize a critical opportunity to rebuild trust with customers – namely by being transparent about the scope of the breach and the ransom demand it reportedly received from the attackers. 'The first should have been telling customers immediately when they were asked to pay a ransom,' Popa said. 'When organizations are upfront, people instinctively offer goodwill but when communication is delayed or vague, it leads to erosion of trust.' The utility has offered customers two years of optional credit monitoring through TransUnion, but Popa said that's insufficient given the nature of the data that was potentially exposed. 'All customers should be getting 10 years of credit monitoring, automatically,' he said. 'This is immutable identity data. You can't change your SIN. The risk doesn't expire in two years.' Popa recommends Nova Scotia Power take three immediate steps: explain the risks tied to the specific data that was stolen advise customers to report any suspicious activity to the Canadian Anti-Fraud Centre provide access to independent resources such as those from the federal privacy commissioner. He also noted people who receive dark web alerts from Equifax or TransUnion may not always see specifics. The alerts typically signal that some form of personal information – not necessarily SINs – is circulating in cybercrime marketplace. 'It would be your email address, home address, or phone number. Criminals buy multiple data sets and piece them together to impersonate you more convincingly,' Popa said. As the investigation continues, Popa emphasized that cybersecurity breaches are no longer rare events and companies should be better prepared. 'There's no substitute for conducting breach response simulations,' he said. 'You don't want your team thinking about how to respond for the first time while the breach is happening. These are learning opportunities, and companies need to treat them that way.' NS Power The Nova Scotia Power building is pictured in downtown Halifax. (Jonathan MacInnis/CTV Atlantic) For more Nova Scotia news, visit our dedicated provincial page
CTV News
2 days ago
- Business
- CTV News
Thieves gain access to about 140,000 social insurance numbers in NS Power database
Peter Gregg, CEO of Nova Scotia Power, makes an appearance before the Nova Scotia legislature's law amendments committee in Halifax on Monday, Oct. 31, 2022. THE CANADIAN PRESS/Keith Doucette HALIFAX — Nova Scotia Power's CEO says up to 140,000 social insurance numbers could have been stolen by cyber-thieves who recently hacked into the utility's customer records. Peter Gregg said in an interview today that the privately owned utility collected the numbers from customers to authenticate their identities. He says social insurance numbers were in about half of the 280,000 customer records breached by cyber-criminals and released onto the dark web. The breach was first reported in late April. Cybersecurity expert Claudiu Popa says it's worth asking why the company would need this kind of personal information. The founder of the non-profit group KnowledgeFlow says there are less risky ways of identifying customers. The federal government's website says each nine-digit number represents a unique identifier for work applications and government records, and it advises people not to share the number unless it's legally required. Thieves can use the number to commit fraud, such as illegally accessing government benefits and tax refunds. This report by The Canadian Press was first published May 29, 2025.
Entrepreneur
2 days ago
- Business
- Entrepreneur
Is Victoria's Secret Down? Security Incident Closes Website
The retailer's website is completely dark (well, more like a shade of pink) with online operations in the U.S. shuttered. Victoria's Secret is still completely offline on Thursday, with the website showing only a shade of pink with a text statement. "Valued customer, we identified and are taking steps to address a security incident," the copy reads. "We have taken down our website and some [in-store] services as a precaution. Our team is working around the clock to fully restore operations." Related: Instagram's CEO Says He 'Experienced a Sophisticated Phishing Attack' This Week On Wednesday, Victoria's Secret confirmed that a breach had occurred but did not disclose more information. CNN notes that it is rare for a company of this size to have its website go fully down. The "security incident" also reportedly affected internal operations. Bloomberg reports that some employees were locked out of their emails. Screenshot of Victoria's Secret website at press time According to a note seen by Bloomberg, Victoria's Secret CEO Hillary Super told employees: "Recovery is going to take a while." The company notes on its website that its stores are still open, despite the interruptions. "We appreciate your patience during this process," the statement continues. "In the meantime, our Victoria's Secret and PINK stores remain open, and we look forward to serving you." This is a breaking news story and will be updated.
BBC News
2 days ago
- Business
- BBC News
Victoria's Secret takes down US website after 'security incident'
Lingerie firm Victoria's Secret has taken down its US website and says it has halted some in-store services following what it has described as a "security incident".The normal site has been replaced by a customer notice which says it is "working around the clock to fully restore operations".It says its stores - and those of its spin-off, PINK - are still open for company's UK website is a statement, the company detailed the action it has been taking. "We immediately enacted our response protocols, third-party experts are engaged, and we took down our website and some in-store services as a precaution," it said. It has not given any further details about the nature of the incident or confirmed when it company which is based in Ohio, in the US, operates around 1,350 retail stores across 70 share price fell by approximately 7% on Wednesday, when it first issued a media statement about the comes after a number of major UK retailers have been hit by major cyber attacks.M&S says it expects the hack it has been hit with will cost it around £300m, with disruption continuing until Co-op experienced empty shelves and disrupted payments after it was data has been stolen from both cyber criminals who say they were responsible told the BBC that they targeted the firms with ransomware, which involves scrambling IT systems and telling companies they will only be restored in exchange for police told BBC News that the crime gang Scattered Spider - some of whom are thought to be teenagers - are among the suspects. Sign up for our Tech Decoded newsletter to follow the world's top tech stories and trends. Outside the UK? Sign up here.
Forbes
3 days ago
- Business
- Forbes
Adidas Admits Data Breach Following Third-Party Attack
Adidas shoes in store window. Adidas AG is a German sports apparel manufacturer and parent company ... More of the Adidas Group. Adidas is once again in the cybersecurity spotlight. This time the breach came through a side door. Attackers infiltrated a third-party customer service provider and accessed the contact information of Adidas customers, as reported by Bleeping Computer. This incident highlights a growing trend: hackers are increasingly targeting vendors to bypass the more robust defenses of global brands. Adidas confirmed that names, email addresses and phone numbers of customers who contacted support were exposed. No payment or password data was compromised, but the information is a potential goldmine for phishing and social engineering attempts. The company has begun notifying affected users and has reported the breach to data protection regulators and law enforcement, as required by law. This is not Adidas' first data security incident. In 2018, the company suffered a breach affecting millions of U.S. customers. Adidas disclosed separate incidents in Turkey and South Korea, both involving third-party customer service providers and exposing similar personal data. Cybercriminals have shifted tactics. Instead of attacking a company's main network, they look for poorly guarded side doors. Third-party vendors often lack the robust security measures of the companies they serve, making them attractive targets. Key factors fueling this trend include: Verizon's 2025 Data Breach Investigations Report found that 30 percent of breaches last year involved external service providers, raising ongoing concerns around vendor risk management and security oversight. Forward-thinking retailers are adopting new strategies to reduce third-party risk. Consider these best practices: The Adidas breach is not an isolated event. It is a warning for the entire retail sector. As hackers become more sophisticated, companies must treat third-party risk as a top priority, not just a compliance issue. Key takeaways for business leaders: For businesses, remember that your security is only as strong as your weakest partner. The companies that thrive will be those that treat every link in their supply chain as a potential point of failure and act accordingly.
