N.S. Power CEO, staff grilled over breach that allowed theft of 280,000 customers' data

Nova Scotians have lost trust in the province's largest electric utility, provincial politicians said Wednesday during a heated committee meeting that raised tough questions about the recent ransomware attack on Nova Scotia Power.

The cybersecurity breach gave thieves access to personal and financial data belonging to 280,000 ratepayers — about half of the utility's customers.

Members of the public accounts committee grilled Nova Scotia Power CEO Peter Gregg and two other senior staff members, asking them how the breach happened and what the company will do to protect ratepayers from financial harm.

"We understand it is very concerning, and we're working hard to address customer issues and to continue to strengthen our systems as we work to restore and rebuild," Gregg told the committee.

By the time the meeting was over, however, the executives had very little new information to share.

WATCH | Senior N.S. Power staff questioned about SIN storage, potential ratepayer increases: 

MLA grills senior N.S. Power staff on SIN storage, breach costs

22 days ago

Duration 7:02

John White, MLA for Glace Bay-Dominion, questioned the utility's senior staff at a provincial legislative committee on Wednesday, following a massive cybersecurity breach.

"We have, as far as we understand, 140,000 Nova Scotians who have had their social insurance numbers stolen, and those people are furious," NDP Leader Claudia Chender told the committee.

Gregg said the company, a subsidiary of Halifax-based Emera Inc., identified unusual activity on their servers on April 25, but they later determined the cyber-thieves had accessed the system as early as March 19.

The utility has since sent letters to customers informing them the stolen data may include their names, birthdates, email addresses, home addresses, customer account information, driver's licence numbers and, in some cases, bank account numbers and social insurance numbers.

The cyberattack affected almost half of the utility's 525,000 customers.

Gregg confirmed the company had previously collected social insurance numbers to authenticate customers' identities in cases where multiple customers had the same name, but he said that practice has stopped.

The utility now requests only the last three digits of each customer's social insurance number, which is not stored.

WATCH | What customers can expect following data breach at NSP: 

N.S. Power addresses loss of trust, penalties for late payments

22 days ago

Duration 6:11

Nova Scotia NDP Leader Claudia Chender asked CEO Peter Gregg and Chris Lanteigne, director of customer care, about what customers can expect from the utility after their data was stolen in a cybersecurity breach.

Still, Chender pressed utility executives to explain why Nova Scotia Power continues to store the full social insurance numbers it had previously collected. But they declined to say, citing an ongoing investigation.

"I don't have an answer for you today," Gregg said.

Chender said Gregg's response was disappointing. "With stronger safety protocols, Nova Scotians would be protected," she said.

The NDP leader went on to ask how affected ratepayers would be compensated for potential losses. Again, Gregg did not directly answer, saying the utility is offering customers a two-year subscription for credit monitoring, which might be extended.

Progressive Conservative member Brian Wong said Nova Scotians deserve better.

"We have Nova Scotians that aren't just scared, they're angry," he told Gregg.

WATCH | Gregg expects insurance will cover costs, but can't give definitive answer: 

N.S. Power president can't say if ratepayers will see increase following data breach

22 days ago

Duration 2:36

Derek Mombourquette, Nova Scotia's interim Liberal leader, pressed CEO Peter Gregg at a legislative committee meeting Wednesday on whether customers will see a rate increase following a cybersecurity breach.

When asked by multiple committee members if Nova Scotia Power would commit to covering the costs of the breach internally rather than handing the bill to ratepayers, Gregg again avoided a direct answer.

He said Nova Scotia Power's cybersecurity insurance would likely cover many expenses, but he said the utility doesn't yet know the cost of the breach. "Until we get further into this investigation and determine total cost, I can't give you a yes or no answer."

Interim Liberal Leader Derek Mombourquette said Nova Scotia Power's first step toward rebuilding public trust should be promising not to pass on costs to consumers who have long complained about soaring electricity bills and frequent power outages.

"There is no trust with Nova Scotia Power right now," Mombourquette said after the meeting. "I don't believe what we heard in the committee today has done any more to reassure the customers."

LISTEN | N.S. politicians dissatisfied with Nova Scotia Power's handling of cyber breach:

Information Morning - NS16:03N.S. politicians dissatisfied with Nova Scotia Power's handling of cyber breach

Portia interviews NDP and Official Opposition Leader Claudia Chender, interim Liberal Leader Derek Mombourquette, and Progressive Conservative MLA John White – members of the province's Public Accounts Committee – following an emergency meeting in the legislature where Nova Scotia Power were held to account on the cyber attack.

As the meeting concluded, Chender put forward a motion to request the province's auditor general investigate the breach, which was adopted.

Meanwhile, the federal privacy commissioner has already launched an investigation. Philippe Dufresne issued a statement last week saying he started the probe after receiving complaints about the security breach in April.