Full Report
Nova Scotia Power has confirmed it was the victim of a ransomware attack, weeks after initially alerting customers to a cybersecurity breach. The utility, owned by Emera Inc., revealed that the attack resulted in a data breach impacting approximately 280,000 customers—but emphasized it has not paid the ransom demanded by the attackers. The Nova Scotia cyberattack, which began around March 19, 2025, was first made public on April 28. Since then, the utility has issued a series of updates to keep the public informed as its investigation unfolded. In its most recent statement on May 23, Nova Scotia Power confirmed the nature of the incident, stating, “We are confirming we have been the victim of a sophisticated ransomware attack.” A Timeline of the Nova Scotia Cyberattack On April 25, the company detected unusual activity within its network, prompting the activation of its incident response protocols. Immediate steps were taken to contain the situation and to bring in external cybersecurity experts to help assess the breach. Law enforcement was also notified. By May 1, the company admitted that certain customer information had been accessed by an unauthorized third party. While the full scope was still under review at that point, Nova Scotia Power began preparing notifications for those affected. On May 14, the company provided an update on the Nova Scotia data breach, confirming that hackers had stolen a range of customer data. The exposed information includes names, dates of birth, email addresses, phone numbers, mailing and service addresses, customer account histories, power consumption details, service requests, payment and billing histories, and credit histories. More sensitive data, such as driver’s license numbers, Social Insurance Numbers (SIN), and bank account details (for those using pre-authorized payments), were also compromised. Ransom Not Paid Despite the severity of the attack, the company has stood firm on one key point: no payment has been made to the attackers. “This decision reflects our careful assessment of applicable sanctions laws and alignment with law enforcement guidance,” the company said in its May 23 statement. The firm continues to work with cybersecurity experts to determine the full extent of the breach and to evaluate the nature of the stolen data, which has now been published online by the attackers. To help mitigate potential harm, Nova Scotia Power has partnered with consumer credit reporting agency TransUnion to offer a two-year subscription to its credit monitoring service, myTrueIdentity, free of charge to those affected. Notification letters have been mailed to impacted individuals, containing instructions on how to enroll in the service and tips for protecting personal information. The company has urged customers to remain vigilant. “Please be cautious about unsolicited communications, especially messages that appear to come from Nova Scotia Power requesting personal information,” officials advised. Customers are reminded not to click on suspicious links or download attachments from unverified sources. Systems Restored, No Impact on Power Supply Nova Scotia Power has assured the public that, despite the data breach in Nova Scotia, there has been no impact on electricity generation, transmission, or distribution systems. The utility continues to operate normally, with its critical infrastructure unaffected. “There remains no disruption to Nova Scotia Power’s generation, transmission, and distribution facilities, and the incident has not impacted our ability to safely and reliably serve customers,” the company reiterated. The parent company, Emera Inc., confirmed that the incident has not materially impacted its financial performance and is proceeding with its scheduled quarterly financial disclosure. Conclusion The organization continues to investigate the full scope of the cyberattack while working closely with cybersecurity experts to restore and strengthen its systems. With over 280,000 customers affected, the Nova Scotia data breach stands out as one of the most serious cyber incidents in recent Canadian history.
Analysis Summary
# Incident Report: Nova Scotia Power Data Breach
## Executive Summary
Nova Scotia Power suffered a significant cyberattack resulting in the exposure of customer data for approximately 280,000 individuals. While the attack appears to have involved ransomware based on initial reporting, critical electricity generation and distribution systems remained operational. The primary impact was a large-scale data breach, prompting the utility to offer identity protection services to affected customers.
## Incident Details
- **Discovery Date:** Not explicitly stated (inferred to be shortly before May 26, 2025, when the news broke)
- **Incident Date:** Not explicitly stated
- **Affected Organization:** Nova Scotia Power (Parent company: Emera Inc.)
- **Sector:** Utilities (Electricity)
- **Geography:** Nova Scotia, Canada
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown.
- **Vector:** Implied to be a ransomware surge, though the specific initial entry vector is not detailed in the provided text.
- **Details:** Attackers successfully breached systems leading to data exfiltration.
### Lateral Movement
- *Information not available in the provided text.*
### Data Exfiltration/Impact
- **What was stolen or damaged:** Customer personal data affecting 280,000 customers. The specific types of data are not fully enumerated but subsequent actions suggest sensitive PII was involved. Organizational systems were impacted, but critical power supply functions were not.
### Detection & Response
- **How it was discovered:** Not explicitly stated.
- **Response actions taken:** Notification letters were mailed to impacted individuals; free credit/identity monitoring services (myTrueIdentity) were offered; public warnings were issued cautioning against phishing attempts related to the breach.
## Attack Methodology
- **Initial Access:** Ransomware (implied).
- **Persistence:** *Information not available in the provided text.*
- **Privilege Escalation:** *Information not available in the provided text.*
- **Defense Evasion:** *Information not available in the provided text.*
- **Credential Access:** *Information not available in the provided text.*
- **Discovery:** *Information not available in the provided text.*
- **Lateral Movement:** *Information not available in the provided text.*
- **Collection:** Gathering and exfiltrating customer data.
- **Exfiltration:** Data theft resulting in the breach of 280,000 records.
- **Impact:** Data exposure/breach. No operational impact on power supply.
## Impact Assessment
- **Financial:** Emera Inc. confirmed the incident has *not* materially impacted its financial performance as of the reporting date.
- **Data Breach:** Data belonging to approximately 280,000 customers exposed.
- **Operational:** No disruption to Nova Scotia Power’s generation, transmission, and distribution facilities; services continued reliably.
- **Reputational:** The incident is noted as one of the most serious cyber incidents in recent Canadian history.
## Indicators of Compromise
- *No specific IoCs (IP addresses, domains, hashes) provided in the text.*
- **Behavioral indicators:** Unsolicited communications/phishing attempts targeting customers impersonating Nova Scotia Power.
## Response Actions
- **Containment measures:** Not explicitly detailed, but implied by the continuity of power operations.
- **Eradication steps:** Not detailed.
- **Recovery actions:** Restoration and strengthening of systems underway; offering complimentary identity protection services to affected customers.
## Lessons Learned
- The organization maintains the capability to withstand severe cyberattacks without service disruption to essential functions (power supply).
- The necessity of robust data breach notification procedures and mitigating identity theft risk for a large customer base (280,000).
## Recommendations
- Further investigation into the root cause and specific techniques used by the attackers (especially persistence and lateral movement) is crucial.
- Enhance security controls to prevent initial access, particularly if ransomware was the entry point.
- Increase customer education regarding phishing attacks that may follow the data disclosure, emphasizing caution against clicking suspicious links or downloading unverified attachments.