Nova Scotia Power has confirmed that hackers infiltrated its IT infrastructure and exfiltrated sensitive customer data, including banking details from pre-authorized payment systems, in a cyberattack first detected on March 19, 2025.
The energy provider revealed on May 14 that unauthorized actors accessed servers containing personal identifiers, financial records, and operational data, with forensic analysis confirming data theft.
While the investigation remains ongoing, the breach impacts an undisclosed number of customers, prompting free credit monitoring services and warnings about heightened phishing risks.
The breach stemmed from a sophisticated cyber incident that compromised Nova Scotia Power’s internal networks, with attackers maintaining persistent access for nearly two months before detection.
External cybersecurity consultants assisting the investigation traced the initial intrusion to March 19, though the utility only confirmed data theft on May 14.
Attackers bypassed defenses to access customer databases storing granular account histories, including power consumption patterns, billing disputes, and payment histories.
Of particular concern is the exposure of banking information tied to pre-authorized debit systems.
Customers who enrolled in automatic bill payments may have had their bank account numbers extracted, though the utility clarified this only affected individuals who directly provided those details.
The delayed disclosure reflects the complexity of forensic audits required to map data flows across compromised systems.
Scope of Compromised Identifiers
The stolen dataset represents a mosaic of personally identifiable information (PII) and financial records.
Core identifiers such as full names, birthdates, mailing addresses, and contact information were universally exposed.
For 39% of impacted customers, according to internal estimates, this included heightened sensitivity markers like Social Insurance Numbers (SINs) and driver’s license details.
The breach also captured temporal behavioral data, including monthly energy usage trends, service request logs, and credit adjustment histories.
This creates profiling risks, as attackers could correlate consumption patterns with occupancy schedules or appliance usage.
For commercial accounts, the stolen correspondence may reveal operational vulnerabilities, though Nova Scotia Power has not clarified the business-customer impact.
Critically, the attackers exfiltrated banking credentials from a subset of residential accounts.
While the utility emphasized that only customers using pre-authorized payments were affected, the lack of encryption on stored account numbers worsened the exposure.
This contrasts with standard payment card industry practices, raising questions about data governance protocols.
Institutional Response
Nova Scotia Power has partnered with TransUnion to offer two years of myTrueIdentity® credit monitoring, including dark web surveillance and identity restoration services.
Impacted customers will receive activation codes via postal mail, with a dedicated helpline for enrollment support.
The utility is also rebuilding compromised IT systems using air-gapped backups, though full restoration timelines remain unspecified.
Cybersecurity analysts recommend affected customers implement financial safeguards beyond the provided monitoring.
These include placing fraud alerts with credit bureaus, scrutinizing bank statements for unauthorized debits, and replacing pre-authorized payment methods with temporary virtual account numbers.
The breach underscores vulnerabilities in legacy utility billing systems, which often lack tokenization for recurring transactions.
The incident has prompted calls for regulatory scrutiny of energy sector cybersecurity practices.
Unlike financial institutions, utilities are not federally mandated to adhere to strict data protection frameworks, leaving customer data management policies inconsistent.
Nova Scotia Power confirmed it will undergo a third-party security audit post-recovery, though critics argue proactive hardening of payment systems could have mitigated the breach’s severity.
As investigations continue, the company urges vigilance against follow-on social engineering attacks.
Phishing campaigns impersonating Nova Scotia Power staff may target victims with urgent payment demands or fake credit monitoring links.
Customers should verify communications through official channels and avoid clicking unsolicited attachments.
The breach highlights critical infrastructure’s growing attractiveness to ransomware groups and data brokers, with energy providers becoming high-value targets.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Source link
