Energy minister seeks answers from Nova Scotia Power amid cybersecurity breach

Nova Scotia's energy minister is seeking answers from Nova Scotia Power and the province's energy regulator is planning its own investigation into a cybersecurity breach at the utility that resulted in customer information being accessed and taken.

In a letter to Nova Scotia Power president and CEO Peter Gregg dated May 7, Trevor Boudreau said he wants to know what immediate actions are being taken to support people awaiting service. He also wants a guarantee customers won't face late penalties or disconnections until the issues are resolved.

"This incident has raised significant alarm over the protection of customer data, reliability of electricity services and infrastructure," Boudreau's letter read in part.

"I am particularly troubled by the disruption this breach has caused to essential services, including delays in power hook-ups and service connections for residents and businesses. These delays are not only inconvenient but also represent risks to health, safety and economic stability, particularly for vulnerable individuals and small businesses that rely on uninterrupted electricity."

The Nova Scotia Energy Board, formerly known as the Nova Scotia Utility and Review Board, announced Thursday it will launch an investigation.

"The Nova Scotia Energy Board has opened a formal proceeding to investigate the Nova Scotia Power cybersecurity incident. We are currently in discussions with cybersecurity experts to engage them in the matter," the board said in a statement on its website.

While the board said it recognizes the company is "focused on recovery and mitigation efforts," its process "is not intended to interfere with that critical work," the statement said.

"Our role is to ensure regulatory oversight and accountability while allowing the utility to concentrate on restoring systems and supporting impacted customers. We take this matter very seriously and are committed to a thorough and transparent process," the board said.

The scope of the board's investigation is still being defined. Some of the things that could be covered include a review of the cause of the incident, Nova Scotia Power's reporting to authorities and its response to the incident, and the impact of the incident on ratepayers and to the utility and its data.

In an update Wednesday, Nova Scotia Power said it has begun to notify customers whose data was compromised. The customer information that could have been taken by an "unauthorized third party" may have included addresses, phone numbers, birthdates, driver's licence and social insurance numbers, and banking information, the utility said.

Nova Scotia Power said it is working with cybersecurity experts to determine the extent of the breach and to safely restore and rebuild systems that were compromised. It also arranged to have TransUnion provide affected individuals with a free two-year subscription to a credit monitoring service.

To get the situation under control, Nova Scotia Power has paused billing and shut down its online customer portal MyAccount.

No services have been disrupted as a result of the incident, the company said, and late fees have been paused.