Nova Scotia Power has confirmed that it suffered a ransomware attack that exposed personal and financial data of about 280,000 customers. The Canadian utility said on Friday that hackers broke into its systems and later published stolen data after the company refused to pay the ransom.
The breach was first detected on April 25, 2025, when Nova Scotia Power’s IT team found signs of unauthorized access to some of its servers and network areas.
Attack Dwell Time and Data Exposure
A deeper investigation revealed that the initial breach happened much earlier, around March 19, 2025. This gave the attackers roughly five weeks of undetected access to the company’s systems.
This attack is an example of a “double extortion” ransomware model. Hackers not only encrypted files but also stole sensitive data to pressure the company into paying.
With extended access to the network, the attackers mapped out systems, moved through different segments, and stole large amounts of data before locking the files. Security experts say such ransomware often uses AES-256 and RSA encryption to make data unreadable without a decryption key.
What Data Was Stolen
The stolen data includes personal details such as names, birthdates, phone numbers, email addresses, service locations, and account histories.
More critically, the hackers accessed sensitive financial information. This includes Social Insurance Numbers, driver’s license numbers, and bank account details of customers using pre-authorized payments.
How the Attack May Have Happened
Cybersecurity analysts believe the attackers used advanced methods like phishing, stolen credentials, or software flaws to get into the system. They likely moved through the network using privilege escalation to reach the most valuable data.
Experts say the scale and tactics of the attack suggest the involvement of a professional ransomware-as-a-service (RaaS) group.
Company Response and Customer Protection
Nova Scotia Power confirmed that it did not pay the ransom. The company said it made this decision based on legal advice and guidance from law enforcement. It’s possible the attackers are linked to groups under international sanctions, which would make payment illegal.
To help customers, the company has partnered with TransUnion to offer two years of free credit monitoring through the TransUnion myTrueIdentity® program.
Customers are urged to stay alert for phishing emails and other scams that may try to use the stolen information.
Systems Recovery and Infrastructure
Importantly, the attack did not affect Nova Scotia Power’s physical systems, including electricity generation, transmission, or distribution. The utility continues to serve about 550,000 customers across Nova Scotia.
The company is working with outside cybersecurity experts to recover affected systems and improve security protections.
