The Recent Cyberattack on Nova Scotia Power: What to Know

In April 2025, Nova Scotia Power (NSP), the province’s primary electricity utility, publicly acknowledged a serious cybersecurity breach. Since then, new evidence has emerged suggesting the scope of the incident could be significantly broader than early estimates.

However, what was initially thought to affect “about half” of its customer base may now involve all customers in some capacity.

Let's dive into the insights taken from this ongoing investigation:

What We Know About the Cyberattack on Nova Scotia Power

• Expanded Customer Impact: Originally, NSP stated approximately 277,000 ratepayers were affected. A recent report to the Nova Scotia Energy Board indicates that “all of the company’s customers may have been impacted by the cyberattack.” However, NSP has stated that it still can’t determine, on an individual basis, who had which specific pieces of information accessed

• Operational Disruptions and Billing Issues: Smart meters continued recording usage data, but communications between those meters and corporate systems broke down due to the breach. As of June, NSP began issuing estimated bills because actual usage data could not be retrieved. Later, field meter-readers were deployed to physically collect data in many locations

• Credit Monitoring and Regulatory Responses: Originally, NSP offered two years of free credit monitoring to affected customers. As awareness of the breach’s scale grew, that offer was expanded to five years for all current and former customers. Regulatory bodies, including the Nova Scotia Energy Board and the Office of the Privacy Commissioner of Canada, have launched investigations

• Nature of the Data Compromised: The PII exposed includes names, dates of birth, email addresses, home addresses, driver’s license numbers, and customer account details. In some cases, bank account numbers (for pre-authorized payments) and Social Insurance Numbers (SINs) may have been compromised

What is the Estimated Impact of the Breach?

There are several indications that the recent breach may have caused more serious and lasting damage than what has been publicly disclosed.

Firstly, the extent of former customer exposure remains unknown. NSP has confirmed that not only current account holders, but also former customers, were impacted. However, gaps in historical records (complicated further by past system migrations and archival backups) make it difficult to identify all those affected. This uncertainty creates long-term risks for individuals whose data may have been accessed without their knowledge.

This is followed by a current inability to link leaked data to specific individuals. With data spread across multiple silos and heavily interdependent systems, NSP has admitted it cannot yet confirm exactly which personal records were exposed. This limitation means customers remain in the dark about whether they should take protective actions, such as subscribing to identity theft monitoring or freezing credit files.

Thirdly, the breach timeline highlights significant dwell time before detection. Investigators traced the attack back to March 19th, 2025, but it was not publicly discovered until late April. This month-long window may have provided attackers with ample opportunity to exfiltrate data, perform reconnaissance, and establish additional footholds for future access, magnifying the overall risk.

Lastly, there are emerging concerns around smart meter compromises and billing implications. Since the breach, some smart meters have been unable to communicate usage data to NSP’s corporate systems, resulting in estimated bills. This has led to overcharging or undercharging in some cases, frustrating customers and eroding trust. If meter-related metadata or logs were accessed, the implications extend beyond billing— potentially exposing sensitive behavioral patterns, such as daily routines and occupancy, tied to specific households.

What's at Stake

• Customer Trust and Reputation: A utility company relies heavily on public trust. When customers are impacted, even unknowingly, the reputational damage could extend for years

• Financial Liability and Regulatory Exposure: With SINs, bank details, driver’s licenses, and possibly payment information exposed, NSP may face class-action lawsuits, regulatory penalties, and mandates for compensation depending on Canada’s privacy and consumer protection laws

• Risk of Secondary Attacks: Compromised personal data could be used in phishing, identity theft, financial fraud, or social engineering attacks. The fact that some data is now reportedly on the Dark Web increases the urgency for preventive measures

• Operational and Legal Costs: Remediation, legal fees, notifications, credit monitoring, and system upgrades all carry direct costs. There are also potential costs related to audits, regulatory compliance, and indemnification

The Nova Scotia Power Cyber Breach: The Top Takeaways For Organizations

What can organizations across varying sectors take away from this recent breach in regards to post-breach best practices?

Individuals should begin by closely monitoring their financial accounts and credit reports. Even if free credit monitoring is being offered, it’s critical to proactively track for suspicious activity, such as unauthorized transactions or new accounts opened fraudulently in their name.

Another important step is to lock down identity data. Sensitive documents like driver’s licenses and Social Insurance Numbers should not be stored or shared unnecessarily. Limiting the reuse of credentials across multiple services can also help reduce the chance of cascading breaches.

At the same time, people must remain alert for phishing and social engineering attempts. With personal information now exposed, attackers may craft convincing fraudulent communications that appear to come from NSP or related organizations. Recognizing and avoiding these threats is essential to preventing further compromise.

Takeaways for the Utility Industry

Cyber incidents here aren’t just privacy or financial issues; instead, they can affect public safety, regulatory compliance, and the reliability of essential services. The Nova Scotia incident has broader lessons, such as:

• Visibility Across Legacy and New Systems: Meters, billing, and customer records must all be included in security reviews

• Rapid Detection and Incident Response: The earlier a breach is discovered, the less time attackers have to cause damage. A robust Incident Response Plan is key

• Comprehensive Communication and Regulatory Preparedness: Transparent communication with customers, regulators, and law enforcement builds trust and may reduce penalties

Conclusion

The Nova Scotia Power cyberattack serves as a powerful reminder of how deeply a modern breach can ripple outward. What started as a breach affecting a portion of customers now may touch everyone, underscoring how limited visibility, delayed discovery, and interwoven systems can dramatically amplify risk.

Moving forward, utility companies must treat customer data protection (not just service uptime) as a core priority in cyber resilience.