HALIFAX — Nova Scotia Power confirmed on Friday what cybersecurity experts have suspected for weeks — that it was the victim of a ransomware attack.
In an update posted to its website, the private utility said that no payment was made to the person or group behind the “sophisticated” attack. It refused to pay the ransom, it said, after "careful assessment of applicable sanctions laws and alignment with law enforcement guidance."
The utility’s investigation had found that its servers were breached on or around March 19 and the stolen customer information included credit histories, social insurance numbers, and bank account data. The company said late last month it was dealing with a cybersecurity incident it had discovered on April 25.
Cybersecurity experts have said the breach has the hallmarks of a ransomware attack — in which extortionists steal a company's data and then demand a ransom to unlock the files or prevent them from being sold.
David Shipley, CEO of New Brunswick-based Beauceron Security, said the nature of the information released by Nova Scotia Power on Friday was a "positive sign" that the company was being transparent about what happened. However, he said the utility could have gone public with the information earlier than it did.
“People would not believe the army of nerds and lawyers that descend on a company when something like this happens,” he said.
“Everything goes through this process that makes a Vatican conclave look ad hoc. Every sentence is scrutinized, particularly when you are a publicly traded company, to balance what they can say versus what they could be opening themselves up for.”
He said it's telling that the company didn't pay a ransom — Nova Scotia Power likely knew the group they were dealing with.
“That’s a really important clue that this entity is likely one that’s been well-identified and is sanctioned by the U.S. government and or the Canadian government,” he said. Had the utility paid, he suggested, the company could have left itself open to sanctions.
Shipley said the information stolen in such breaches can be published on what's known as the dark web — part of the internet that can be accessed with special software — and through peer-to-peer file sharing services.
He described the Nova Scotia Power breach as a “canary in the coal mine,” signalling that other utilities and companies are vulnerable.
“If every provincial regulator does not wake up to this right now we are risking more harm to Canadians in terms of financial fraud, but we are definitely risking the stability of our power generation,” Shipley said. “It’s on the provinces to do this and I don’t think there’s a damn one that’s doing it well.”
Meanwhile, the utility said it has contacted affected customers and given them support, including a two-year subscription to a comprehensive credit monitoring service at no cost. It has also warned customers to watch out for unsolicited communications such as messages appearing to be from Nova Scotia Power asking for personal information.
This report by The Canadian Press was first published May 23, 2025.
Keith Doucette, The Canadian Press
