Nova Scotia Power confirmed on Friday that it was the target of a ransomware attack, confirming suspicions raised by cybersecurity experts in recent weeks.
In a statement posted on its website, the utility said it did not pay a ransom to the attackers, describing the breach as “sophisticated.” The company said the decision to refuse payment followed a review of applicable sanction laws and a consultation with law enforcement.
The investigation found that the utility’s servers were compromised on or around March 19. Stolen customer data reportedly included credit histories, social insurance numbers, and bank account information. Nova Scotia Power initially disclosed it was managing a cybersecurity incident on April 25.
Ransomware attacks involve the theft of data, with extortionists demanding payment to unlock files or prevent the sale of stolen information.
David Shipley, CEO of New Brunswick-based Beauceron Security, said Nova Scotia Power’s disclosure was a sign of transparency but noted the company could have informed the public earlier.
“Companies undergo a thorough internal review before releasing information, especially publicly traded ones, to balance transparency with legal risks,” Shipley said.
He added that the refusal to pay ransom suggests the utility may have identified the group behind the attack, possibly subject to sanctions by US or Canadian authorities. Paying a ransom to sanctioned entities could expose companies to legal penalties.
Shipley noted stolen data from such breaches often appears on the dark web or through peer-to-peer file sharing, creating ongoing risks. He described the incident as a warning sign for utilities and other critical infrastructure providers.
The attack follows a broader pattern of cyber incidents affecting Nova Scotia, including a 2023 breach of the provincial government’s MOVEit file transfer service that exposed personal data of about 100,000 individuals. The series of breaches has raised concerns about cybersecurity vulnerabilities in the province’s critical infrastructure.
“If provincial regulators do not respond effectively, there could be increased risks of financial fraud and disruptions to power generation,” Shipley said.
Nova Scotia Power has contacted affected customers and is providing support, including two years of complimentary credit monitoring. The company also cautioned customers to remain alert for unsolicited communications claiming to be from the utility and seeking personal information.
