Nova Scotia Power Data Breach: Critical Infrastructure Under Attack

Overview

In May 2025, Nova Scotia Power confirmed a serious cybersecurity breach that exposed highly sensitive customer information, including banking details and Social Insurance Numbers. As the province's main electricity provider and a subsidiary of Emera Inc., the company’s security lapse reignited concerns over the digital safety of Canada’s critical infrastructure.

This breach didn’t occur in isolation. It follows a troubling trend that began with the 2023 compromise of MOVEit Transfer, a widely used file-sharing software that impacted numerous government departments in Nova Scotia. In both cases, sensitive data was quietly exfiltrated before detection, revealing persistent gaps in cybersecurity monitoring and incident response.

How It Happened

The intrusion into Nova Scotia Power’s systems occurred on March 19, 2025, but wasn’t discovered until over a month later, on April 25. During that undetected window, threat actors were able to move laterally across internal systems, accessing and exfiltrating sensitive customer records.

By May 1, the company had confirmed the data theft and launched a notification campaign. Though Nova Scotia Power has not publicly shared technical details of the attack—such as whether it involved phishing, credential abuse, or a third-party vulnerability—it emphasized that the incident was not related to the earlier MOVEit breach.

Still, the echoes are hard to ignore. In the MOVEit case from 2023, hackers exploited a zero-day vulnerability to breach systems at the Government of Nova Scotia. That incident affected multiple agencies, exposed a trove of citizen data, and forced a rapid overhaul of third-party risk protocols. Both events reflect the growing complexity and frequency of attacks on organizations that manage massive volumes of personal data.

What’s at Risk

The stolen data includes a combination of personal identifiers and financial records—names, contact information, addresses, birth dates, program participation, account histories, driver’s license numbers, bank account details, and Social Insurance Numbers. This kind of dataset is a goldmine for cybercriminals seeking to commit identity theft, launch social engineering attacks, or conduct financial fraud.

Though Nova Scotia Power says there is no evidence that the data has been misused, that statement offers little comfort to customers whose SINs and banking details may now reside in criminal marketplaces.

The company is offering affected individuals two years of free credit monitoring through TransUnion’s myTrueIdentity® service. Formal notification letters are being sent by mail, and customers are urged to stay alert for phishing emails and suspicious activity.

Conclusion

The Nova Scotia Power breach is not just a data privacy failure — it is a systems-level issue that points to the fragility of digital defences in public utilities. With the MOVEit incident still fresh in institutional memory, this latest compromise reinforces a hard truth: threat actors are now systematically targeting sectors that underpin everyday life.

The extended dwell time, the sensitivity of the data, and the lack of immediate attribution all point to an increasingly professionalized threat landscape. For customers, the next steps involve monitoring, caution, and perhaps frustration. For Nova Scotia Power and the broader utility sector, the message is clear: cybersecurity is not an afterthought. It is operational infrastructure.

As attacks on critical services grow in frequency and sophistication, proactive defense, continuous threat detection, and robust incident response must become the new normal.

Stay safe, stay ahead!