Impact of cyberattack on Nova Scotia Power could be bigger than first thought

Hey there, time traveller!
This article was published 09/09/2025 (260 days ago), so information in it may no longer be current.

HALIFAX – Nova Scotia’s largest electric utility says the impact of a sophisticated cyberattack in March could be much broader than first thought.

Nova Scotia Power said in May that about half of its customers — 277,000 ratepayers — may have had personal information stolen by hackers. But the privately owned utility is now saying all of its customers may be affected in some way.

The new information comes from a Nova Scotia Power report submitted last week to the independent Nova Scotia Energy Board, which is investigating the cybersecurity breach.

“This investigation is ongoing and has been complex given the severe nature of the cyberattack,” the report says. “It remains possible that all of the company’s customers may have been impacted by the cyberattack.”

The stolen data includes names, birth dates, email addresses, home addresses, customer account information, driver’s licence numbers and, in some cases, bank account numbers and social insurance numbers.

The report, parts of which have been redacted, also says the utility has no way of telling individual customers what specific information has been stolen from them.

“Due to the nature of the breach and the complexity of the systems involved, and despite the company’s comprehensive investigative efforts, the data accessed … cannot be definitively identified on an individual basis.”

The security breach was first noticed on April 25. Nova Scotia Power called in the RCMP and the Canadian Security Intelligence Service on April 27, and the public was alerted April 28.

“The incident has not caused any disruption to physical operations at NS Power’s generation, transmission and distribution facilities,” the report says.

The document, however, confirms the cyberattack compromised the company’s ability to automatically retrieve electricity usage readings from customers’ smart meters. In June, the utility started issuing estimated bills based on an average of previous energy usage.

“Some customer bills did appear larger than anticipated,” the report says. “In some cases, payments had not yet been received and processed (and) some customers received bills closer together …. NS Power is focused on maintaining a normal billing schedule as much as possible to mitigate some of these customer concerns.”

The company, a subsidiary of Halifax-based Emera Inc., has said the ransomware attack resulted in some personal information being posted on the dark web, a part of the internet that can be accessed through special software.

Meanwhile, the company confirmed in July the breach had also affected former customers, but the report says it still doesn’t know how many people fall into that category.

“Given the impact of the incident on the company’s systems, the information available (about former customers) … is limited,” the report says. “It will not be possible to determine with certainty when these individuals ceased to be customers of NS Power.”

On May 14, Nova Scotia Power said the consumer reporting agency TransUnion would provide the 277,000 affected customers with two years of credit monitoring at no cost. That offer was extended to five years for all customers on June 25.

“Customers will not pay for any costs incurred by Nova Scotia Power for credit monitoring resulting from this incident,” the utility said at the time. But the utility has yet to say if affected ratepayers will be compensated for potential losses.

This report by The Canadian Press was first published Sept. 9, 2025.