-
Nearly a year after a cyberattack hit Canadian utility company Nova Scotia Power, customers have now discovered their stolen personal information is circulating on the dark web.
-
The breach affected 28,000 customer data, allowing the hackers to get their hands on people’s personal info, including names, addresses, banking details and SINs.
-
They believed a criminal group based in Russia was behind the breach, which has now escalated into a chaos of inaccurate billing, regulatory investigations, and a class-action lawsuit.
A cyber attack hit Nova Scotia Power (NSP) nearly a year ago, but it seems the nightmare is far from over for its customers.
Hundreds of thousands of people who have been nervously watching their credit scores are now getting the worst kind of confirmation. Their data is out there on the dark web.
Data from NSP Breach Now Exposed Online
Some customers who signed up for credit monitoring through Trans Union, one of the firms NSP hired to help, recently got notifications that their personal information is now on those hidden, illicit marketplaces, joining a growing list of exposed datasets from recent breaches like the one at French IT firm Réseau.site, where a hacker published user records for the entire dark web to exploit.
The utility initially revealed that hackers stole data belonging to around 280,000 current and former customers. That’s nearly half of their client base. But the scope has widened.
NSP later confirmed that the breach, which happened on or around March 19, 2025, also compromised data from former customers. Though they still couldn’t say exactly how many people the breach affected.
A Goldmine of Information on the Dark Web
The information cybercriminals are now trading is alarmingly comprehensive. After the breach last year, NSP confirmed the content of the stolen files. It included, but was not limited to, names, phone numbers, addresses, and detailed power usage history. But it gets much worse.
For many, it includes driver’s licence numbers. And, in approximately 140,000 cases, social insurance numbers (SINs) and bank account information for pre-authorized payments.
Information like this is a goldmine for criminals online. They can package it and sell it to other fraudsters. Those will then use it to carry out phishing attacks, identity fraud, financial fraud, and other bad things.
This is exactly what unfolded in a recent massive phishing attack that targeted Canadian finance companies and sold data belonging to 750,000 victims on the dark web, a stark reminder that once personal information hits these illicit markets, the damage multiplies rapidly. It’s a total violation of user privacy, which can be really devastating.
Company CEO Peter Gregg told a legislative committee that experts have a “high degree of confidence” that a sophisticated, Russia-based threat actor group carried out the attack.
Why Was NSP Storing All This Data?
Everyone, especially NDP Leader Claudia Chender, questioned why NSP was storing sensitive SINs in the first place. During a heated public accounts committee meeting, investigators grilled the company’s executives, but they only offered a few answers.
Gregg explained they used SINs to authenticate customers’ identities. But when pressed on why they kept this data indefinitely, he repeatedly cited the ongoing investigation. “I don’t have an answer for you today,” he told the committee, a response that left many Nova Scotians furious.
The company says it has now stopped this practice and is permanently deleting all SINs from its system. For new authentication, they will now only ask for the last three digits of a SIN.
The Fallout After the Breach
And as if the data breach wasn’t bad enough, the attack totally messed up their billing and metering system. So there wasn’t just identity theft to worry about; there was also the wildly inaccurate bills people were getting. Some spiked by hundreds of dollars, others received multiple charges in a month.
The company admits the meters are recording accurate usage, but they can’t reliably access the data to bill correctly. This has led to MacGillivray Law filing a class-action lawsuit in December, citing both the data breach and the ensuing billing fiasco.
The whole mess got so bad that Premier Tim Houston called for an investigation. The Energy Board started a two-part inquiry: one looking at how the hack actually happened. And another digging into how NSP was handling everyone’s private data in the first place.
NSP’s Response and What’s Next?
So what’s NSP saying about the new dark web activity? So far…silence. The company hasn’t put out any statement addressing the fact that customers’ data is now floating around those shady marketplaces. However, they did make moves to contain the damage last year when word got out about the breach.
- Regulatory Scrutiny and Potential Fines: The Energy Board’s inquiry will dig into how NSP collected and protected customer data. One MLA even suggested a fine with “six zeros” would be appropriate. The Office of the Privacy Commissioner of Canada is also conducting its own separate investigation.
- Class Action Lawsuit: The proposed class action, with Danielle Fraser as the representative plaintiff, is seeking certification from the court. Fraser has heard from hundreds of people facing real financial harm—compromised bank accounts, credit card fraud, and relentless phishing emails.
- Credit Monitoring: NSP offered free credit monitoring, which will run for five years, to all current and former customers, up from the initial two years. The company also deployed volunteers to help people register.
- System Restoration: The utility aims to have all smart meters reconnected and accurate billing restored by the end of March 2026. They’ve promised not to pass the breach costs onto customers, relying on insurance to cover the damages. But for the 140,000 people whose SINs are now for sale on the dark web, the clock on potential identity theft is already ticking.
