Nova Scotia Power says ransomware hackers have published stolen data
Information could be used for 'infinity of scenarios that could possibly victimize someone,' expert says
Nova Scotia Power has confirmed it is the victim of a ransomware attack and that the hackers who stole data have published it on the dark web.
Peter Gregg, the utility's president and CEO, said Friday it is believed 280,000 customers have had their information stolen — more than half of the customers in the province.
Gregg said the attack comes from a "very sophisticated threat actor." He said there is a ransom request but none has been paid.
"Based on expert advice, including law enforcement at all levels, we made the decision to ... we have not paid," he said.
Cybersecurity experts are now helping Nova Scotia Power, Gregg said.
While cybersecurity protections are in place at the utility, Gregg said there is now an active investigation to see what can be learned from the breach and tighten defences in the future.
The operations side of the business was not affected, he said.
Nova Scotia Power and parent company Emera announced in late April that they were dealing with a cybersecurity incident discovered on April 25. The company's investigation later revealed the data was accessed more than a month earlier, on or around March 19, and was later stolen.
This week, customers began receiving letters from Nova Scotia Power informing them that an "unauthorized third party" had gained access to certain parts of its Canadian network and servers.
The letters say the stolen information may include name, phone number, email address, mailing address, date of birth, account history, driver's licence, social insurance number and bank account numbers.
"We know if you're receiving one of those notices from us we know you're concerned and we apologize for that," Gregg said.
WATCH | Nova Scotia Power confirms customer data stolen in ransomware attack
The company is offering a free credit monitoring service from TransUnion for two years.
Nova Scotia Power also advises customers to be cautious about unsolicited communications such as emails, texts, social media posts or phone calls appearing to be from the company and asking for personal information.
The company says it is working to restore and strengthen its systems and add safeguards to prevent such incidents in the future.
Cybersecurity expert weighs in
Claudiu Popa is the CEO of cybersecurity company Datarisk Canada and the founder of KnowledgeFlow, an organization dedicated to helping people protect themselves from digital security threats.
He says Nova Scotia Power should have been more transparent and accountable about the breach, including its role in the hack.
"It doesn't actually say, you know what, we were the custodians of that information, which we asked you to provide to us," he said.
He added that the letters sent to customers should be customized to each person and provide exact information about what information was stolen from each person.
Popa said with the scope of information stolen by the hackers, they could use it for an "infinity of scenarios that could possibly victimize someone," such as taking over an account, starting a new account, applying for a mortgage or loan or making payments on products.
The two-year credit monitoring service offered by Nova Scotia Power is "entirely insufficient," he said, noting that the risk of identity fraud will go well beyond two years.
Popa encourages people to file complaints with the Office of the Privacy Commissioner "to ensure that a proper, independent investigation is carried out into this catastrophic incident."
'I have very little confidence,' says customer
Kevin Smith, a Nova Scotia Power customer who lives in the Rockingham neighbourhood of Halifax, said he is confused by the letter he received from the utility.
"They didn't come out and say that my information was stolen or anything like that," he said. "They said that my personal information was stored on impacted servers, which I had to read twice because I wasn't actually sure if I was affected or not."
He said the information about obtaining credit monitoring also left him with a lot of questions.
"I have no idea what that is. And I am supposed to go through all this? I'm supposed to sign up for this? I'm supposed to call this number? I'm supposed to fill all this out? What about them? Like what are they supposed to do?"
While the letter, signed by Gregg, does contain an apology, Smith said it doesn't reflect that Nova Scotia Power is to blame.
"They don't actually claim that it was their fault," Smith said. "I just feel like they're just not taking this seriously or they're trying to protect themselves over their customers."
The whole experience — including that Nova Scotia Power didn't discover the breach for nearly five weeks, then took three days to disclose it to the public — has left Smith's trust in the company shaken.
"I have very little confidence that this is being dealt with properly."
ABOUT THE AUTHOR
With files from Gareth Hampshire
