Canada’s privacy commissioner says a massive breach of Nova Scotia Power’s systems last year started when an employee clicked on a pop-up.
An overview of the breach, posted to the commissioner’s website, says that around March 19, 2025, an employee clicked on a pop-up, resulting in malware being downloaded and installed on the utility’s systems.
“The malware created a background process and downloaded additional malware,” the overview stated. “This allowed the threat actor to gain access to Nova Scotia Power’s systems and network.”
Over the next month, that hacker used various processes to get credentials and harvest data. Between April 23 and 25, the threat actor pulled data from on-premises network files and cloud storage, and then used previously acquired credentials to destroy data backups and deploy ransomware.
“Nova Scotia Power received communications from the threat actor that included a hyperlink to an unlisted page accessible through the Tor network on the dark web,” it said. “The threat actor provided proof that it had obtained sensitive customer information, but no evidence has yet emerged that this sensitive data has been made public or sold.”
The utility did not pay a ransom to the hacker.
According to the commissioner’s overview, Nova Scotia Power has determined that about 375,000 of its current customers and approximately 540,000 former customers were affected by the breach.
On Wednesday, the commissioner announced Nova Scotia Power had committed to deleting customer social insurance numbers by the end of the month, and to an external security review.