Nova Scotia Power, a key electric utility, disclosed on April 25 that it had fallen victim to a cyberattack, resulting in the compromise of personal customer data. The Royal Canadian Mounted Police (RCMP) have been engaged to investigate the breach, which preliminary assessments suggest is a ransomware attack, according to a statement from the utility.
David Shipley, CEO of Beauceron Security based in New Brunswick, noted that the incident displays characteristics typical of ransomware, including the deployment of ‘double extortion’ tactics. This method involves not only the encryption of data but also threats to sell the stolen information on the dark web unless a ransom is paid.
The likelihood of a ransomware attack was corroborated by Natalia Stakhanova, Canada Research Chair in Security and Privacy at the University of Saskatchewan. Stakhanova highlighted the vulnerability of utility companies to such cyber threats.
Casey Spears, social and digital adviser for Nova Scotia Power, stated that while specific details of the breach are currently withheld pending further investigation, affected customers will be notified upon the conclusion of the inquiry.
Mark Plemmons of Dragos Inc., a global cybersecurity firm, reported an increase in ransomware attacks targeting electrical utilities. According to Dragos Inc.’s annual report, there were 30 such incidents globally last year, with the number of ransomware groups rising from 50 to 80 in 2024.
The consensus among experts is that the attack was executed by a criminal gang motivated by financial gain, as opposed to a state-sponsored actor seeking to disrupt the power grid. Shipley remarked that infrastructure-targeted attacks typically suggest state involvement, which does not appear to be the case in this incident.
Plemmons noted that while cyber attackers often use ‘living off the land’ techniques to blend their activities with normal network operations, these methods were not reported in this specific case.
Shipley referenced a prior ransomware attack on the PowerSchool system in December, which affected Canadian students and staff. The Toronto District School Board’s payment of a ransom led to a subsequent demand for the same data four months later, prompting Shipley to warn that paying the ransom does not ensure the deletion of stolen data, which could be sold on the dark web, potentially resulting in identity theft at an average cost of $4,000 per Canadian.
Stakhanova called for enhanced data protection regulations from both federal and provincial governments, stating, ‘As customers, we are very unprotected. We have no control over what happens with the data, our personal data, and we have no say over how the company should protect it and how the company should act in unfortunate cases like this.’
Rebecca Brown from the Nova Scotia Energy Board announced that the board will initiate a formal proceeding to assess the breach, examining its origins, Nova Scotia Power’s response, and the repercussions for the utility and its customers.
This incident underscores the critical need for robust cybersecurity measures to safeguard personal data and critical infrastructure across Canada.
