The Nova Scotia Power data breach has forced the utility provider to commit to stronger cybersecurity and privacy safeguards after a cyberattack exposed sensitive data of more than 900,000 current and former customers. The scale of the Nova Scotia Power data breach and the nature of the compromised information have raised serious questions about how organizations manage and protect customer data.

The breach, discovered on April 25, 2025, was not the result of a single failure. Instead, it unfolded over weeks—highlighting how attackers can quietly move through systems before being detected.

Nova Scotia Power Data Breach Linked to Malware Infection

According to details shared in a compliance letter, the Nova Scotia Power data breach began on or around March 19, 2025. An employee accessed a compromised website infected with “SocGholish” malware and clicked on a malicious pop-up link. This allowed the malware to install and create a foothold within the network.

From there, attackers escalated their access. Between April 8 and April 22, they moved laterally across systems using domain administrator privileges, conducted internal reconnaissance, and harvested credentials. This phase is critical, and often underestimated in cyber incidents.

By the time the Nova Scotia Power data breach was detected, the attackers had already spent days exploring the network.

Data Exfiltration and Ransomware Deployment

The final stage of the Nova Scotia Power data breach occurred between April 23 and April 25, when the threat actor exfiltrated data from both on-premises systems and cloud storage. Shortly after, ransomware was deployed, backups were destroyed, and multiple applications stopped functioning.

The attack was only discovered when employees reported system disruptions—an indication that the breach had already reached its most damaging phase.

The attackers later contacted the company via a Tor-based dark web page, providing proof that sensitive customer data had been accessed. However, there is no confirmed evidence so far that the data has been publicly released or sold.

Nova Scotia Power chose not to pay the ransom, aligning with law enforcement guidance.

Scope of the Nova Scotia Power Data Breach

The Nova Scotia Power data breach impacted approximately 375,000 current customers and 540,000 former customers. The compromised data includes:

• Names, phone numbers, and email addresses
• Mailing addresses and dates of birth
• Account and billing history, including bank details
• Driver’s license numbers and Social Insurance Numbers (SINs)

This level of exposure significantly increases the risk of identity theft and financial fraud, making the Nova Scotia Power data breach particularly serious.

Delayed Notifications and Customer Concerns

The handling of the Nova Scotia Power data breach has also drawn scrutiny. The Office of the Privacy Commissioner of Canada received multiple complaints, particularly around delayed notifications and the use of mailed letters, which slowed communication with affected individuals.

Some concerns were also raised about the collection and storage of SINs, which were part of the compromised dataset.

While Nova Scotia Power informed the public on April 28 and notified regulators by May 1, direct notifications to customers began weeks later, with additional affected individuals identified months after the initial disclosure.

This staggered communication reflects the complexity of breach investigations—but also highlights the importance of timely transparency.

Response and Security Commitments

Following the Nova Scotia Power data breach, the company took steps to contain the incident. This included isolating affected systems, resetting compromised credentials, and working with third-party cybersecurity experts to investigate and remediate the breach.

Customers were offered credit monitoring and identity protection services, initially for 24 months and later extended to five years for all customers.

More importantly, Nova Scotia Power has now committed to strengthening its security measures under a compliance agreement. The Office of the Privacy Commissioner will continue to monitor progress until all commitments are fulfilled.

Privacy Commissioner Philippe Dufresne stated, “I welcome this commitment by Nova Scotia Power to ensure stronger protections for the personal information of its customers. This privacy breach highlights the significant risks of cyberattacks to individuals and companies. Strong, proactive data protection, including robust safeguards, must be prioritized by all organizations in this evolving landscape.”