Nova Scotia Power Faces Regulatory Scrutiny and Potential Fine Following Ransomware Attack

Compliance Hub

Compliance Hub

7 min read
Nova Scotia Power Faces Regulatory Scrutiny and Potential Fine Following Ransomware Attack

Nova Scotia Power's handling of a sophisticated ransomware attack that exposed the personal information of approximately 280,000 customers is now under intense regulatory and governmental scrutiny, with provincial officials weighing a significant financial penalty against the utility provider.

Incident Overview

On April 25, 2025, Nova Scotia Power and parent company Emera disclosed they had discovered unauthorized access to portions of their Canadian network and servers. The breach, however, had actually occurred more than a month earlier on March 19, 2025—a significant timeline gap that has become a central point of criticism.

The attack compromised extensive customer data including:

  • Names and addresses
  • Driver's license numbers
  • Canadian Social Insurance Numbers (SINs)
  • Bank account details (for customers using pre-authorized payments)
  • Power consumption records
  • Service requests and billing history
  • Customer correspondence

Initial estimates suggested approximately half of Nova Scotia Power's 550,000 customer base was affected. However, subsequent investigations revealed the scope may be far broader, with recent reports to the Nova Scotia Energy Board indicating that all customers may have been impacted in some capacity.

Attribution and Sophistication

On November 25, 2025, Nova Scotia Power CEO Peter Gregg testified before a provincial legislative committee that expert assessments indicate "a high degree of confidence that the activity was closely associated with a Russia-based threat actor group." Gregg characterized the incident as an "unprecedented, sophisticated and targeted attack."

The utility refused to pay the ransom demand, aligning with guidance from the Canadian Centre for Cyber Security and citing coordination with law enforcement. However, threat actors subsequently published portions of the stolen data on the dark web.

Regulatory Response and Potential Fine

Premier Tim Houston expressed strong disappointment with the utility's response, stating that Nova Scotia Power "appears to be shrugging its shoulders without providing adequate explanations to affected customers." The provincial government is now considering imposing a fine on the utility, with Houston emphasizing that "ratepayers would not bear the burden of any potential financial penalties."

Government officials have suggested the fine should be substantial. When asked to quantify an appropriate penalty, Kyle MacQuarrie, a member of the governing Progressive Conservatives, stated it "would have to have six zeros"—indicating a fine of at least $1 million.

This potential penalty would join other recent financial consequences for Nova Scotia Power. In September 2025, the utility faced a $1 million penalty for failing to meet performance standards for the eighth consecutive year—a separate issue from the cybersecurity breach.

Operational Impact and Customer Complaints

The ransomware attack disrupted critical business systems, forcing Nova Scotia Power to:

  • Suspend its online customer portal MyAccount
  • Temporarily halt billing operations
  • Shift to estimated billing when service resumed, unable to read smart meters remotely

This shift to estimated billing generated significant customer complaints about overbilling. The utility pledged to work on automatically reimbursing customers who were overcharged, rather than requiring them to request refunds individually. CEO Gregg indicated crews were working around the clock to restore remote meter reading functionality, with a target completion date of the end of March 2026—nearly one year after the breach occurred.

Federal Government Statement on Critical Infrastructure

The day after Gregg's testimony, the federal government issued a statement highlighting the broader implications of such attacks. National Defence Minister David McGuinty and Public Security Minister Gary Anandasangaree emphasized that "cyberattacks targeting Canadian critical infrastructure are a real and urgent threat," noting that any disruption poses risks to "public health, environment, public confidence and the economy."

This statement underscores the heightened concern around utility sector cybersecurity, given these organizations' essential role in maintaining critical services.

Regulatory Investigations

Multiple regulatory bodies have launched investigations:

Nova Scotia Energy Board

The provincial energy regulator opened a formal proceeding to investigate the incident, engaging cybersecurity experts to assist in the matter. The Board's scope of investigation includes:

  • Review of the incident's cause
  • Nova Scotia Power's reporting to authorities
  • The utility's response to the incident
  • Impact on ratepayers and utility operations

The Board approved a $1.8 million cybersecurity improvement project (the Next Generation Network Security Design project) in June 2025, just weeks after the attack. This project aims to enhance the utility's IT network and firewall infrastructure. Notably, the application for this project was submitted on April 7, 2025—before the breach was discovered but after it had already occurred.

In approving the project, the Board explicitly stated that "it is not known whether this specific project would have prevented or mitigated the breach" and that approval "does not preclude it from assessing the adequacy of N.S. Power's IT systems as part of the board's ongoing investigation."

Office of the Privacy Commissioner of Canada

Under federal jurisdiction, the Privacy Commissioner is conducting an investigation into potential PIPEDA violations related to the breach.

PIPEDA Compliance Implications

The breach highlights critical compliance obligations under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA). Organizations subject to PIPEDA must:

Breach Notification Requirements

  • Report to the Privacy Commissioner: Breaches creating a "real risk of significant harm" must be reported to the Office of the Privacy Commissioner of Canada "as soon as feasible"
  • Notify affected individuals: Direct notification must be provided to all individuals facing real risk of significant harm
  • Notify third parties: Organizations must inform other entities that may be able to reduce harm risk

Record-Keeping Obligations

PIPEDA requires organizations to maintain records of all breaches of security safeguards—not just those meeting the "real risk of significant harm" threshold—for a minimum of 24 months. These records must contain sufficient detail to enable the OPC to verify compliance.

Penalties for Non-Compliance

Knowingly contravening PIPEDA's reporting, notification, and record-keeping requirements constitutes an offense that can result in significant fines. While the OPC doesn't directly issue fines, it can refer matters to the Attorney General of Canada for prosecution.

Timeline Concerns

The 37-day gap between the breach occurrence (March 19) and its discovery (April 25), followed by an additional three days before disclosure (April 28), raises important questions about:

  • Detection capabilities and monitoring effectiveness
  • Mean time to detect (MTTD) metrics
  • Incident response preparedness
  • Compliance with PIPEDA's "as soon as feasible" notification requirement

By the time customers were notified in early May, nearly two months had elapsed since the initial unauthorized access. This delay amplified potential harm, as affected individuals had no opportunity to take protective measures during this window.

Credit Monitoring and Customer Support

Nova Scotia Power initially offered two years of free credit monitoring through TransUnion to affected customers. As the scope of the breach became clearer, the utility expanded this to five years of coverage for all current and former customers, regardless of whether they received a formal notification letter.

The utility has also committed that customers will not bear any costs related to the breach, including credit monitoring expenses.

Key Compliance Lessons

This incident provides several critical takeaways for organizations managing sensitive customer data:

1. Investment in Detection Capabilities

The month-long gap between breach and discovery highlights the importance of:

  • Continuous monitoring and threat detection
  • Security Information and Event Management (SIEM) systems
  • User and Entity Behavior Analytics (UEBA)
  • Network traffic analysis
  • Endpoint detection and response (EDR)

2. Legacy System Vulnerabilities

The utility's own application noted that a majority of its network equipment was considered "end of life" in 2016, though some remained in use. This underscores the security risks of:

  • Outdated infrastructure
  • Unsupported systems
  • Deferred security upgrades
  • Technical debt accumulation

3. Incident Response Planning

Effective incident response requires:

  • Pre-established response teams and protocols
  • Clear communication strategies
  • Predetermined notification processes
  • Regular testing and tabletop exercises
  • Customer service capacity planning for breach response

4. Third-Party Forensics Engagement

Nova Scotia Power engaged external cybersecurity experts immediately upon discovery. This best practice ensures:

  • Specialized expertise in forensic analysis
  • Independent assessment and validation
  • Objective breach scope determination
  • Regulatory credibility

5. Transparency and Communication

The perceived inadequacy of Nova Scotia Power's customer communications—described by the Premier as "shrugging its shoulders"—demonstrates that technical response alone is insufficient. Organizations must:

  • Provide clear, detailed explanations to affected parties
  • Demonstrate accountability and concrete remediation steps
  • Maintain regular communication throughout the investigation
  • Show empathy and understanding for customer concerns

6. Regulatory Preparedness

Organizations should anticipate multi-jurisdictional investigations following significant breaches, including:

  • Privacy commissioners
  • Industry-specific regulators (energy boards, financial regulators, etc.)
  • Law enforcement agencies
  • Potential civil litigation

Critical Infrastructure Considerations

As a provincially regulated utility providing electricity to 550,000 customers, Nova Scotia Power occupies a unique position as critical infrastructure. This designation carries heightened expectations around:

  • Resilience: Systems must continue operating even during cyber incidents
  • Security investment: Proportional to the criticality of services provided
  • Coordination: With government agencies and law enforcement
  • Transparency: Public reporting and accountability
  • Continuity: Maintaining service delivery during and after incidents

The fact that physical operations were not disrupted—generation, transmission, and distribution facilities continued functioning—demonstrates successful segregation of IT and operational technology (OT) networks. However, the business system compromise still created significant customer impact through billing disruptions.

Financial and Reputational Impact

Beyond potential regulatory fines, Nova Scotia Power faces:

  • Legal exposure: Potential class-action lawsuits from affected customers
  • Remediation costs: Forensic investigation, system rebuilding, enhanced security measures
  • Operational costs: Credit monitoring services, customer support, manual meter reading
  • Insurance implications: Potential coverage and future premium impacts
  • Reputational damage: Eroded customer trust and regulatory confidence

The Premier's explicit statement that the government would oppose any attempt to recover breach costs from ratepayers adds additional financial pressure on the utility and its parent company, Emera.

Looking Forward

As investigations continue and potential fines are deliberated, several questions remain:

  1. Attribution confirmation: While Russia-based actors are suspected, has attribution been definitively established?
  2. Root cause analysis: What specific vulnerabilities enabled the 37-day undetected presence?
  3. Data misuse: Has any evidence emerged of the stolen data being used for fraud or identity theft?
  4. Systemic improvements: What concrete security enhancements beyond the $1.8M project are being implemented?
  5. Regulatory framework: Will this incident drive changes to cybersecurity requirements for Canadian utilities?

Recommendations for Utility Sector Organizations

Based on this incident, utilities and other critical infrastructure operators should:

  1. Conduct comprehensive security assessments of all systems handling customer data
  2. Upgrade legacy infrastructure proactively, rather than waiting for incidents
  3. Implement defense-in-depth strategies with multiple layers of security controls
  4. Enhance detection and monitoring to minimize dwell time for attackers
  5. Test incident response plans through realistic tabletop exercises
  6. Review breach notification procedures to ensure PIPEDA compliance
  7. Establish clear governance for cybersecurity at the board and executive level
  8. Invest in security awareness training across the organization
  9. Engage regularly with regulators on security posture and improvements
  10. Develop transparent communication strategies for customer notification

Conclusion

The Nova Scotia Power ransomware attack represents a significant case study in critical infrastructure cybersecurity and regulatory compliance. The potential fine being considered by the provincial government sends a clear message about accountability expectations for organizations managing sensitive customer data and providing essential services.

For compliance professionals and cybersecurity leaders, this incident reinforces that regulatory consequences extend beyond privacy commissioner investigations to include sector-specific regulators and governmental intervention. The emphasis on protecting ratepayers from bearing breach costs also establishes an important precedent that may influence how other jurisdictions approach utility sector cybersecurity failures.

As investigations progress and final determinations are made regarding fines and remediation requirements, this case will likely shape Canadian critical infrastructure cybersecurity policy for years to come.

For organizations seeking assistance with PIPEDA compliance, incident response planning, or cybersecurity assessments, contact QSai LLC's CISO Marketplace for expert guidance tailored to your sector and risk profile.

Sources:

  • Nova Scotia Power official statements and filings
  • Nova Scotia Energy Board proceedings
  • Canadian Press reporting
  • Office of the Privacy Commissioner of Canada guidance
  • PIPEDA legislation and regulations

Read more

EU Chat Control Passes Committee on November 26, 2025: "Voluntary" Surveillance, Mandatory Age Verification, and the Political Deception That Got It Through

EU Chat Control Passes Committee on November 26, 2025: "Voluntary" Surveillance, Mandatory Age Verification, and the Political Deception That Got It Through

Published: November 27, 2025 Executive Summary On November 26, 2025, EU ambassadors in the Committee of Permanent Representatives (COREPER) approved a revised Chat Control proposal by a close split vote—but contrary to celebratory headlines claiming the EU "backed away" from mass surveillance, the approved text represents what

By Compliance Hub
France's Encryption War Escalates: GrapheneOS Exodus Signals Dangerous Precedent for Open Source Privacy Tech

France's Encryption War Escalates: GrapheneOS Exodus Signals Dangerous Precedent for Open Source Privacy Tech

Executive Summary: The GrapheneOS project's dramatic withdrawal from France in November 2025 represents a watershed moment in the escalating global conflict between privacy technology and state surveillance powers. This case follows an established pattern of French law enforcement targeting encrypted communications platforms, but marks the first time authorities

By Compliance Hub
Generate Policy Global Compliance Map Policy Quest Secure Checklists Cyber Templates