N.S. Power says hackers have published stolen data from ransomware attack

CITYnews halifax / By Chris Halef

Nova Scotia Power says the hackers who breached its system have published stolen data in a ransomware attack in March.

In an update on Friday afternoon, the utility said it has made no payment to the threat actor after careful assessment of applicable sanctions laws and alignment with law enforcement guidance.

“We have learned that the threat actor has published data that was stolen from our systems,” the statement said. “We are actively working with cybersecurity experts to assess the nature and scope of the information that may have been impacted.”

In an email to CityNews Halifax, the utility would not say how many customers were impacted by the breach, but did say it sent notifications to roughly 280,000 individuals.

Nova Scotia Power said it is “sincerely sorry” this has happened and has mailed out notifications to customers who have been impacted, along with information on resources and supports.

Related:

• Nova Scotia electric utility says stolen customer data includes bank account numbers
• Theft of NS Power customer data is likely ransomware attack: security experts

The utility previously said the breach took place on or around March 19 and that data stolen from its customers includes credit histories, social insurance numbers and information on driver’s licences and bank accounts.

It went on to say customers should watch out for unsolicited communications such as messages appearing to be from Nova Scotia Power asking for personal information.

Where the data likely is

David Shipley, CEO of New Brunswick-based Beauceron Security, said the nature of the information released by Nova Scotia Power on Friday was a “positive sign” that the company was being transparent about what happened. However, he said the utility could have gone public with the information earlier than it did.

“People would not believe the army of nerds and lawyers that descend on a company when something like this happens,” he said.

“Everything goes through this process that makes a Vatican conclave look ad hoc. Every sentence is scrutinized, particularly when you are a publicly traded company, to balance what they can say versus what they could be opening themselves up for.”

He said it’s telling that the company didn’t pay a ransom — Nova Scotia Power likely knew the group they were dealing with.

“That’s a really important clue that this entity is likely one that’s been well-identified and is sanctioned by the U.S. government and or the Canadian government,” he said. Had the utility paid, he suggested, the company could have left itself open to sanctions.

Shipley said the information stolen in such breaches can be published on what’s known as the dark web — part of the internet that can be accessed with special software — and through peer-to-peer file sharing services.

With files from Keith Doucette, The Canadian Press.