Article content
The Nova Scotia Power malware attack was caused by an employee visiting a compromised website, the Office of the Privacy Commissioner of Canada revealed Thursday.
Article content
On or around March 19, 2025, the employee visited a website that had been compromised by the SocGholish fake updates malware. The employee clicked on a link in a pop-up on that site, which resulted in malware being downloaded and installed on Nova Scotia Power’s systems.
Article content
Article content
Story continues below
Article content
The malware created a background process and downloaded additional malware. This allowed access to Nova Scotia Power’s systems and network.
Article content
The report shows that on or around April 8, 2025, someone began to move across systems in the Nova Scotia Power network, using accounts with domain administrator privileges. Between April 8 and 22, they deployed and leveraged additional malware to perform reconnaissance and credential harvesting.
Article content
Between April 23 and 25, they removed data from on-premises network files and cloud storage. On April 25, they used credentials acquired during data harvesting to destroy backups and deploy ransomware.
Article content
Discovery and reaction
Article content
The breach was discovered on April 25, when Nova Scotia Power employees reported that certain applications were not functional.
Article content
Story continues below
Article content
“Nova Scotia Power received communications from the threat actor that included a hyperlink to an unlisted page accessible through the Tor network on the dark web. The threat actor provided proof that it had obtained sensitive customer information, but no evidence has yet emerged that this sensitive data has been made public or sold,” the report said.
Article content
Read More
-
Nova Scotia Power hack: The dark web and how your stolen data will be used against you
-
NSP hack: Canada wanders undefended in a cybersecurity Wild West
-
Advertisement 1
Story continues below
Article content
Nova Scotia Power did not pay a ransom to the hacker.
Article content
The utility determined that about 375,000 current customers and about 540,000 former customers were affected by the breach.
Article content
The compromised personal information varied by affected individual but included names, phone numbers, email addresses, mailing addresses, dates of birth, customer account histories (including customer payment/billing/credit history/bank account numbers), driver’s licence numbers and social insurance numbers.
Article content
On its website, Nova Scotia Power stated that it was acting on commitments that focus on continuing to address the risks stemming from the attack and preventing future breaches.
