Nearly a month after disclosing a cybersecurity incident, Canadian electric utility Nova Scotia Power has confirmed it was the target of a sophisticated ransomware attack. The breach, first revealed on April 28 by Nova Scotia Power and its parent company Emera, has now been linked to the theft of sensitive customer information affecting more than 280,000 individuals.
In a public update posted on May 23, the company admitted the attack involved ransomware and clarified that no ransom payment has been made. Nova Scotia Power stated this decision was made in line with law enforcement guidance and sanctions compliance.
Sensitive Customer Data Exposed, But Power Supply Unaffected
The utility first acknowledged the breach in early May, stating that hackers had accessed customer records. By May 14, it confirmed the types of data compromised included:
- Full names, dates of birth, phone numbers, and email addresses
- Mailing and service addresses
- Power usage data, service requests, and billing/payment history
- Highly sensitive information such as driver’s license numbers, Social Insurance Numbers, and bank account details used for pre-authorized payments
Despite the scale of the breach, electricity generation and distribution operations were not affected, the company emphasized. Service to Nova Scotia Power’s approximately 550,000 customers continued uninterrupted.
In the latest disclosure, the company said the attackers have begun publishing stolen data, though it remains unclear which ransomware group is responsible or where the information has been leaked. As of now, Nova Scotia Power has not appeared on any of the major ransomware leak sites tracked by cybersecurity analysts.
The utility is now working with third-party cybersecurity experts to determine the full extent of the compromised data and has started notifying impacted customers.
Growing Cyber Threat to Critical Infrastructure
While ransomware attacks on power utilities remain relatively rare, cybersecurity experts have long warned about the risk. Power grids represent high-value targets due to their strategic importance, and both criminal and state-sponsored threat actors have shown interest in exploiting vulnerabilities in utility software and infrastructure.
Nova Scotia Power’s breach highlights how these threats can also result in large-scale data loss, even when core utility systems remain operational.
The company has advised customers to monitor their financial accounts and consider identity protection services. More information and updates are being made available on its website as the investigation progresses.
