Nova Scotia Power has confirmed a data breach that compromised sensitive customer information following a cybersecurity incident detected last month. The utility, a subsidiary of Emera, serves over 500,000 customers in Nova Scotia, commanding 95% of the market share. The company generates more than 10,000GWh of electricity annually, distributed through a 32,000km network of power lines.
On 28 April 2025, Nova Scotia Power announced the discovery of unauthorised access to parts of its network and servers. Although electricity production and distribution were unaffected, the incident disrupted internal operations.
By 1 May 2025, further investigations revealed that customer data might have been compromised. An update yesterday confirmed the exposure of data, including full names, phone numbers, email addresses, mailing and service addresses, participation in Nova Scotia Power programs, dates of birth, customer account histories, driver’s license numbers, Social Insurance Numbers, and bank account numbers for some customers.
No immediate evidence of data misuse detected
The breach was found to have occurred on 19 March 2025, indicating a delay of nearly two months before affected customers were notified via mailed notices. Nova Scotia Power stated that there is no evidence of misuse of the stolen data. However, to mitigate risks, the company is offering two years of credit monitoring services to those affected.
“Nova Scotia Power continues to investigate a cyber incident that has impacted certain IT systems in our network,” reads the incident status update. “While the investigation remains ongoing, we have determined that on or around March 19, 2025, certain customer information stored on the impacted servers was accessed and later taken by an unauthorised third party. Notifications are in the process of being mailed to impacted account holders, which includes detailed information about resources and support.”
Additionally, the company has partnered with TransUnion to provide a complimentary two-year subscription to a comprehensive credit monitoring service.
Customers are advised to remain cautious of phishing attempts, particularly those impersonating Nova Scotia Power to extract sensitive information. As of now, no ransomware groups have claimed responsibility for the attack.
Earlier this week, Spain sought detailed cybersecurity information from small electricity generators following a blackout on 28 April 2025. The outage impacted large areas of Spain, Portugal, and southern France, affecting train services and leaving millions without phone or internet access.
Spanish Prime Minister Pedro Sánchez has refuted claims that reliance on renewable energy sources contributed to the blackout. Furthermore, the National Cybersecurity Institute of Spain (Incibe) has intensified its investigation into whether smaller power facilities, including solar and wind farms, have been targeted by cyberattacks.
Read more: Spain seeks cybersecurity details from energy firms after blackout
