Hackers steal personal data from Nova Scotia Power in March cyberattack

Nova Scotia Power, the main electricity provider for over 500,000 customers in the Canadian province, confirmed a significant cybersecurity breach that compromised a wide range of sensitive customer information. The incident, which occurred in March 2025 but was formally disclosed in April, has sparked widespread concern over the safety of customer data and the broader cybersecurity posture of utilities handling critical infrastructure in Canada.

What Happened in the Nova Scotia Power Cyberattack?

According to the utility, the breach was first discovered on April 25, 2025, following the detection of unusual network activity. A subsequent investigation revealed that unauthorized access to portions of Nova Scotia Power’s internal network had occurred as early as March 19, 2025. Though electricity production and distribution operations were reportedly unaffected, the breach enabled hackers to exfiltrate extensive personal information from company systems. Nova Scotia Power is a subsidiary of Emera Inc., a publicly traded energy company based in Halifax, Nova Scotia.

Internal operations faced temporary disruptions during the company’s containment and remediation efforts. The utility has not yet confirmed the specific vector used for the breach, but has stated that it is working with third-party cybersecurity experts and law enforcement agencies to complete a forensic investigation and reinforce its digital defenses.

What Customer Information Was Exposed in the Breach?

The breach involved the compromise of a broad array of personally identifiable information (PII) and financial data. This included customers’ full names, dates of birth, email and physical addresses (both mailing and service addresses), and customer service history, such as billing records, payment details, and credit history. Even more concerning, the attackers also accessed Social Insurance Numbers (SINs), driver’s license numbers, and in some cases, bank account numbers associated with pre-authorized payment arrangements.

Nova Scotia Power confirmed that affected customers are being individually notified via mail and are being offered a free two-year subscription to TransUnion’s myTrueIdentity® credit monitoring and identity theft protection services. While the company maintains that there is currently no confirmed evidence of misuse of the stolen data, security experts caution that such information can be exploited long after initial theft, raising the risk of future fraud or identity theft.

How Has Nova Scotia Power Responded to the Cybersecurity Incident?

In response to the incident, Nova Scotia Power has initiated a multi-stage mitigation plan. This includes securing its network infrastructure, deploying advanced monitoring tools to detect unauthorized activity, and collaborating with cybersecurity partners to identify system vulnerabilities. A spokesperson for the utility emphasized that the company had taken immediate action to prevent further unauthorized access and had notified the federal Office of the Privacy Commissioner of Canada (OPC), in accordance with national data breach notification laws.

Additionally, the utility has warned customers of an increase in phishing attempts following the breach, with some fraudulent messages appearing to originate from Nova Scotia Power itself. Customers are being urged to avoid clicking on suspicious links or opening unexpected email attachments, especially those purporting to offer refunds or claim billing issues. The company’s customer service channels are reportedly experiencing high traffic, as customers seek guidance and reassurance in the wake of the breach.

Why Are Cyberattacks on Utilities Increasing in Frequency?

Cybersecurity professionals say the incident underscores a growing trend of cyberattacks targeting critical infrastructure providers, including electric utilities, water treatment facilities, and transportation networks. These sectors often rely on legacy systems that may lack the latest security protocols and patches, making them attractive targets for cybercriminals and nation-state actors.

In recent years, Canadian and U.S. utilities have increasingly found themselves in the crosshairs of cybercriminal organizations deploying ransomware, wiper malware, and data exfiltration campaigns. While Nova Scotia Power has not disclosed whether the attack involved ransomware, the silence from known ransomware groups and the nature of the stolen data suggest that the breach may have been part of a data harvesting operation rather than a ransom-for-decryption demand.

Utilities are now under pressure to modernize their cybersecurity infrastructure, implement zero-trust architectures, and ensure robust incident response frameworks. The Canadian Centre for Cyber Security (CCCS) has previously issued advisories warning utility companies about increasing cyber threats, urging comprehensive risk assessments, continuous staff training, and third-party cybersecurity audits.

How Might This Breach Affect Investor Sentiment Toward Emera Inc.?

As the parent company of Nova Scotia Power, Emera Inc. could experience reputational damage from the fallout of the breach, even if its own corporate systems were not directly compromised. While Emera’s stock price had remained relatively stable in the days immediately following the disclosure, analysts suggest the long-term impact may depend on the findings of the forensic investigation, regulatory responses, and whether any misuse of stolen data emerges in the coming weeks.

Cybersecurity risks are increasingly being factored into investment decisions, particularly in industries deemed essential to national security and public welfare. Institutional investors and ESG (Environmental, Social, and Governance) rating agencies have begun assigning greater weight to data privacy, breach disclosure practices, and third-party cybersecurity certifications when evaluating utility sector investments.

Moreover, if legal proceedings or regulatory penalties arise from the incident, it could trigger a reassessment of Emera’s risk profile and governance practices. A similar data breach in the utility sector previously led to a shareholder class action in the U.S., illustrating the potential legal liabilities attached to such events.

What Can Customers and Stakeholders Expect Next?

Nova Scotia Power has committed to ongoing updates as its investigation progresses and expects to conclude its internal review in the coming weeks. Customers affected by the breach are being provided with detailed instructions on enrolling in credit monitoring and are advised to remain vigilant for suspicious activity on their financial accounts and credit reports.

At the national level, the breach may reignite calls for stronger regulatory oversight of critical infrastructure cybersecurity, including mandatory breach notification timelines, third-party audits, and minimum security standards for utility providers. Federal authorities are also reportedly evaluating whether the breach poses broader national security or economic implications.

As of now, no specific threat actor or hacking group has claimed responsibility for the breach. The absence of attribution makes it difficult to assess the full scope of the threat, but cybersecurity researchers note that the stolen dataset’s content—highly sensitive, easily monetizable, and tied to critical infrastructure—would be valuable on dark web markets and underground forums.

How Does This Breach Reflect Broader Cybersecurity Trends?

The Nova Scotia Power breach exemplifies the growing threat landscape facing public utilities and critical infrastructure providers. In 2023 and 2024, high-profile breaches across North America targeted water systems, hospitals, energy pipelines, and even municipal governments. Many of these breaches were not only financially disruptive but also impacted public trust and safety.

Cybersecurity experts continue to warn that no organisation is immune from such risks, especially as cybercriminal tools become more sophisticated and widely available. The breach reiterates the need for companies to adopt a proactive, rather than reactive, cybersecurity posture—focusing on prevention, rapid detection, and coordinated response.

In the aftermath of this incident, Nova Scotia Power’s next steps will be closely scrutinized by regulators, privacy advocates, and the broader public. Its ability to restore confidence and demonstrate long-term improvements in its cybersecurity readiness may ultimately determine how much lasting damage the breach causes.