Table of Contents
On May 15, 2025, Nova Scotia Power confirmed a data breach involving the theft of customer information in a targeted cyberattack. As a regulated utility and subsidiary of Emera Inc., Nova Scotia Power’s systems form part of Canada’s critical infrastructure, making the breach particularly concerning for public trust and national cybersecurity policy.
The company disclosed that unauthorized actors gained access to internal systems and exfiltrated personally identifiable information (PII) tied to customer accounts.
Timeline and Scope of the Breach
- April 29, 2025: Suspicious activity was detected in internal systems.
- May 1, 2025: Nova Scotia Power initiated an investigation with external cyber forensic partners.
- May 10, 2025: Breach confirmed; systems segmented; CISA-equivalent notified.
- May 15, 2025: Public disclosure confirms theft of customer data affecting an undisclosed portion of accounts.
The company has not attributed the attack to a specific group, but tactics observed suggest a financially motivated threat actor, potentially using initial access brokers (IABs) or ransomware-as-a-service (RaaS) affiliates.
Initial Access and Threat Actor Tactics
While technical forensics are ongoing, early indicators point to:
- Initial Access: Likely via phishing email targeting internal users or exploitation of a public-facing asset, possibly a VPN gateway or outdated third-party platform.
- Privilege Escalation: The attackers moved laterally into customer information systems, potentially exploiting unpatched Active Directory components or poor credential hygiene.
- Exfiltration: Network logs show outbound data transfers to anonymized infrastructure, possibly via:
- Encrypted reverse proxies
- Legitimate cloud storage abused as staging points (e.g., Dropbox API)
No ransomware encryption was confirmed, but data theft and extortion remain likely motives.
What Data Was Stolen
Nova Scotia Power disclosed that the stolen data may include:
- Full names
- Home addresses
- Utility account numbers
- Email addresses
- Potentially partial billing or payment details
The breach did not impact grid operations, smart meter networks, or SCADA systems. However, the data involved poses a significant identity theft risk and opens the door for future phishing and fraud campaigns.
Impact to Operations and Customers
⚠️ Operational Impact
- No reported outage or grid disruption
- Internal IT teams initiated containment, isolation, and segmentation protocols
👥 Customer Impact
- Notifications sent to impacted users
- Credit monitoring offered
- Trust erosion is a major concern given the regulatory status and essential nature of the utility
This incident aligns with a growing trend of targeted attacks against utilities for data monetization and extortion, even if operations remain unaffected.
Security Posture and Incident Response Gaps
Key cybersecurity concerns highlighted by this breach:
- Third-Party and Legacy System Exposure
Utilities often rely on aging platforms that expose APIs or portals vulnerable to known exploits. - Insufficient Segmentation Between IT and OT
While operations weren’t hit, lack of granular access controls likely enabled deeper-than-expected lateral movement in IT systems. - Delayed Threat Detection
It took days to confirm the breach after suspicious activity—a gap in real-time threat detection capabilities. - Lack of Endpoint Visibility Across Enterprise Systems
Traditional AV systems may not be tuned to detect lateral movement and data exfiltration tools.
Mitigation and Recommendations for Utilities
Utilities must improve readiness against similar breaches by adopting proactive, defense-in-depth strategies:
🔐 Technical Controls
- Enforce Zero Trust Architecture: No implicit trust across internal segments, especially between IT and customer data systems
- Apply Network Detection and Response (NDR) to monitor anomalous outbound flows
- Encrypt all customer data at rest and in motion, with secure access control and audit logging
- Deploy EDR/XDR across all user and contractor endpoints
🧠 Operational Enhancements
- Run Red Team simulations simulating IAB or ransomware attacks
- Maintain and drill an Incident Response Playbook tailored for utilities
- Include regulatory readiness for PII breach notification and transparency obligations
👥 Customer-Facing Protections
- Use multi-factor authentication for customer accounts
- Scan for leaked customer credentials or account patterns across the dark web
- Preemptively inform users on how to identify fraud attempts following the breach
Conclusion: Defending Critical Infrastructure Data
The Nova Scotia Power cyberattack is another clear signal that critical infrastructure is a high-value, low-resilience target for modern attackers. As threat actors evolve beyond ransomware to data-centric extortion, utilities must invest in stronger detection, segmented environments, and coordinated incident response.
Security isn’t just about keeping the lights on—it’s also about protecting the people whose data keeps the grid running.