HALIFAX — The federal privacy commissioner has launched an investigation into a ransomware attack that led to the theft of personal information belonging to 280,000 customers of Nova Scotia's electric utility.
Privately owned Nova Scotia Power confirmed last week that hackers stole the data and published it on the dark web.
Privacy commissioner Philippe Dufresne said in a statement Wednesday that he started the probe after receiving complaints about a security breach the utility reported in late April.
“Data breaches have surged over the past decade and this incident highlights the growing risks of cyberattacks for all organizations,” he wrote in the statement.
Dufresne said he wants to make sure the utility is taking appropriate steps to deal with the breach, which the company says included disclosure of some customers' social insurance numbers.
The commissioner says his investigation is looking at steps the company has taken to contain the breach, notify its customers and reduce the risk of fraud and identity theft.
Nova Scotia Power says it's offering affected customers a two-year subscription for credit monitoring services through TransUnion Canada.
It's also sent letters to customers informing them the stolen data may include their names, birth dates, email addresses, home addresses, customer account information, driver's licence numbers and, in some cases, bank account numbers.
Some experts have criticized how the utility notified customers about the breach.
According to the commission's website, federal privacy law requires notifications to be given "as soon as feasible" after a company has determined "a breach of security safeguards involving a real risk of significant harm" has occurred.
The website also says the notice should include a description of the circumstances of the breach, the time it occurred, a description of the personal information taken, and a "description of the steps that the organization has taken" to reduce the risk of harm.
Cybersecurity expert Claudiu Popa, CEO of Informatica Corp., questions whether these standards were met by the utility.
Based on the letters he's seen sent to customers, Popa said the information does not provide much detail.
"The further inadequacy was the lack of explanation of what could go wrong and what could be done with this information," he said, referring to the customer notifications.
He also said the company's offer of a free, two-year subscription to TransUnion's monitoring service isn't long enough.
"We should not be naive about the fact that these criminals now have a rich data set to exploit Nova Scotia victims for the foreseeable future, and that foreseeable future probably extends beyond 24 months," said Popa, author of "The Canadian Cyber Fraud Handbook."
Nova Scotia Power spokeswoman Kathryn O'Neill said in an email Wednesday the company is aware the cyberattack "has been really concerning for some of our customers."
"Impacted individuals have received detailed information about available resources and support," she wrote.
"We continue to work with leading third-party cybersecurity experts on this complex investigation and the safe and secure restoration of our systems. We’re also implementing additional safeguards to help prevent similar incidents in the future."
In his statement, Dufresne said customers would be wise to sign up for credit monitoring services, and he said they should monitor their bank accounts and notify their financial institutions.
This report by The Canadian Press was first published May 28, 2025.
Michael Tutton, The Canadian Press
