HALIFAX — Security experts say the theft of customer data from Nova Scotia's electric utility has the hallmarks of an extortion attempt by cybercriminals.
In a news release following the April 25 data breach, the utility said it notified police about the theft and confirmed that "certain customer personal information was accessed and taken by an unauthorized third party."
Nova Scotia Power, however, refuses to say whether it was being extorted by criminals. But cybersecurity experts have little doubt about what happened.
The breach at the utility "walks, talks, barks like a ransomware attack" or other similar forms of cyber extortion, David Shipley, CEO of New Brunswick-based Beauceron Security, said in a recent interview.
Ransomware extortionists use malicious software to infiltrate a system to prevent companies from accessing files and then demand a ransom — often cryptocurrency — to unlock them. Shipley said there are also instances of "double extortion," cases in which cybercriminals steal data and threaten to sell it unless they are paid.
Natalia Stakhanova, the Canada research chair in security and privacy at the University of Saskatchewan, said in a recent interview it appears "a ransomware attack happened." She said, "these kinds of organizations have been the target of attacks for a very long period of time. Certainly, Nova Scotia Power is not the first one."
Casey Spears, Nova Scotia Power's social and digital adviser, said last week the company wasn't releasing details about the breach, adding, "we have committed to notifying customers whose data has been affected as soon as our investigation allows."
Mark Plemmons, vice-president of intelligence operation at Dragos Inc. — a global cybersecurity firm that specializes in utilities and large industrial companies — said Tuesday his firm documented 30 cases last year of ransomware attacks against electrical utilities around the world. The Dragos annual report also documented 80 ransomware groups in 2024, compared to 50 the year before.
All four experts say the attack likely involved a criminal organization attempting to make a profit, not a state-sponsored group trying to harm Canadians.
Had the attack against Nova Scotia Power, a subsidiary of Emera, been directed at its infrastructure — at shutting down power plants — then that would have been a sign of the participation of a state-sponsored group, Shipley said.
Plemmons, for his part, said groups who try to infiltrate the operations of utilities use "living off the land techniques," designed to look like legitimate activity within the network. "Once they get in, they blend in and are very difficult to differentiate from legitimate users," he explained. Those kind of techniques don't seem to have been used in the Nova Scotia Power attack, he said.
The difficulty in the ransomware scenario is bringing the extortion to an end, Shipley said. A recent example, he said, is the breach last December of data belonging to students and staff across Canada held in the PowerSchool system. The Toronto District School Board said this week that four months after it paid a ransom to retrieve the personal information, the board discovered that a "threat actor" made a separate ransom demand in exchange for the same stolen data.
"So, you can't exactly take it to the bank, even if you do pay them, that they're going to delete the data," Shipley said.
The cybercriminals could also sell the information on the "dark web" — a part of the internet accessible only through special software. "We see all kinds of crazy things with identity theft, and it can be extraordinarily painful for individuals. The average Canadian loses about $4,000 when their identity gets hijacked," Shipley said.
Stakhanova said the intrusion highlights the need for Ottawa and provincial governments to bring in regulation requiring stricter protections of personal information held by companies and public institutions.
"As customers, we are very unprotected. We have no control over what happens with the data, our personal data, and we have no say over how the company should protect it and how the company should act in unfortunate cases like this," she said.
Rebecca Brown, a communications officer with the Nova Scotia Energy Board, said in an email that the regulator would hold a "formal proceeding" into the breach.
"The scope of the matter is still to be determined," she noted, adding the review could include studying the cause of the incident and Nova Scotia Power's response, as well as the impact of the breach on the utility and ratepayers.
This report by The Canadian Press was first published May 13, 2025.
Michael Tutton, The Canadian Press
