In recent statements, Nova Scotia Power’s CEO Peter Gregg disclosed a significant cyber breach involving the utility’s customer records, indicating that up to 140,000 social insurance numbers (SINs) may have been compromised by hackers. During an interview, he emphasized that the utility collects these numbers as part of their customer authentication process, particularly to differentiate between customers with similar names. The breach, which was first reported in late April, revealed that about 280,000 Nova Scotia Power customers were affected—more than half of their total customer base. When questioned about how many records contained the sensitive SINs, Gregg mentioned that approximately half of the compromised records were involved in the breach.
The incident has sparked criticism from cybersecurity experts like Claudiu Popa, who raised concerns regarding the utility’s decision to retain such sensitive information for customer verification. Popa highlighted that there are less invasive ways to authenticate customers without relying on SINs, which are among an individual’s most confidential identifiers. According to him, the federal government advises against sharing these numbers unless it’s legally necessary, as they could facilitate various fraudulent activities, including unauthorized access to government benefits and tax refunds.
Popa further stressed the risks associated with having SINs stored within utility records, noting that there are countless ways these numbers can be exploited for fraudulent schemes. Despite these criticisms, Gregg defended the utility’s approach, stating that providing SINs was voluntary and that customers were not required to submit them to receive services. The breach itself was first detected in mid-March, indicating a longer timeline for the company to respond to the vulnerability.
Amid rising concerns, Popa called for Nova Scotia Power to offer clearer communication to affected customers regarding the types of personal data stolen, along with explicit warnings about the potential risks they may face following the breach. Although detailed information has not yet been provided, Gregg assured that the company is collaborating with IT staff and cybersecurity consultants to gather all relevant details. He emphasized the company’s commitment to accurately reporting known information instead of speculation, indicating a cautious approach as the investigation unfolds.
Acknowledging the seriousness of the situation, Gregg noted that further details will be shared with customers as the investigation progresses. By taking a careful and measured stance, the utility aims to maintain customer trust while ensuring that affected individuals are kept informed of any potential ramifications stemming from the breach. The incident has shed light on broader cybersecurity challenges in the utility sector, prompting discussions about data retention policies and customer identification practices.
In summary, the Nova Scotia Power data breach raises critical questions about the necessity and security of storing sensitive information like social insurance numbers. The fallout from this incident could serve as a wake-up call for utilities and other sectors that handle personal data, emphasizing the need for robust cybersecurity measures and more transparent communication with customers in the event of a data breach. As the investigation continues, both customers and cybersecurity experts will be watching closely for improvements in practices surrounding data protection and identification.
