Nova Scotia Power reveals month-long delay in detecting cyberattack on internal network

Nova Scotia Power, a Canadian electric utility provider, revealed that threat actors had gained access to its internal network nearly a month before the breach was detected.

 

Headquartered in Halifax, Canada, Nova Scotia Power is the primary electricity provider in Nova Scotia province and caters to roughly 550,000 customers in the area. It is privately owned by Emera and regulated by the provincial government via the Nova Scotia Utility and Review Board.

 

In a data security incident notice published on its website on May 1, NSP and its parent company Emera, said that on April 25, it detected unusual activity in its internal network. The electricity provider immediately launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the incident.

 

It also took steps to contain the incident, secured the affected systems and notified relevant law enforcement authorities about the same.

 

“While our investigation is ongoing, we have identified that certain customer personal information was accessed and taken by an unauthorised third party,” NSP said.

 

In a separate update published on May 14, NSP said that threat actors breached its internal network on March 19 and stole customer data.

 

The compromised data included names, phone numbers, email addresses, mailing and service addresses, Nova Scotia Power program participation information, dates of birth, customer account history including  power consumption details, service requests, customer payments, billing information,  credit history, driver’s license numbers, Social Insurance Numbers, and customers’ bank account numbers for pre-authorised payment.

 

While NSP found no evidence of the compromised information being misused, it advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities, including the police and the state attorney general.

 

It has also offered two years of complimentary identity protection and credit monitoring services through TransUnion to all affected individuals.