Listen to this article
Estimated 4 minutes
The audio version of this article is generated by AI-based technology. Mispronunciations can occur. We are working with our partners to continually review and improve the results.
Nova Scotia Power is providing more information about the cyberattack on the utility earlier this year and its response in the months that followed.
The utility submitted an incident report to the province’s energy board on Tuesday after the board requested Nova Scotia Power provide more details about several aspects of the breach before the end of the year.
“The company considers that its response to the incident — encompassing containment, remediation, and investigation — was effective and executed in a very timely and highly coordinated manner,” stated the 43-page report.
The energy board, which is conducting its own investigation into the cyberattack, asked for the report this summer after Nova Scotia Power was hacked in March.
The personal information of thousands of customers was compromised by the cyberattack but the utility said it continues to find no evidence that its infrastructure was threatened.
The board requested Nova Scotia Power provide detailed accounts of several things including how it detected the cyberattack, a timeline of subsequent events, whether or not there were any signs of cyber threats before the breach and whether the utility has identified any security gaps since the breach.
Timeline redacted
Nova Scotia Power officials have said it was likely a Russian agent that gained access to the company’s digital systems on March 19. The utility didn’t notice customers’ personal information had been compromised until April 25.
The utility contacted law enforcement agencies such as the Canadian Centre for Cybersecurity, RCMP and the Canadian Security Intelligence Service two days later, according to the report. The report said Nova Scotia Power also notified the FBI.
Most other details of the subsequent response are redacted in the report submitted to the energy board.
Nova Scotia Power also redacted several paragraphs regarding the actions taken to remediate the breach.
Nova Scotia Power is asking the energy board to keep some sections of its report into the cyberattack redacted. A spokesperson for the board said it will make a decision at a later date. (Nova Scotia Energy Board)
In addition to the incident report, Nova Scotia submitted a request to the energy board on Tuesday seeking confidentiality for some of the information in the report.
The board will decide whether or not to approve the request at a later date and, in the meantime, the redacted version of the report is available to the public.
A spokesperson for the energy board said Tuesday it was early to comment on the incident report.
Nova Scotia Power did not respond to a request for comment.
More customers affected than first thought
Nova Scotia Power has been working with data analysis experts to investigate the extent of the cyberattack, according to the report.
For months, the utility said it believed 277,000 customers had been affected by the breach.
In October, Nova Scotia Power identified an additional 97,000 customers who had their personal information compromised bringing the total closer to 375,000.
Nova Scotia Power has responded by setting up dedicated call centres for customers and a dedicated webpage to address concerns about estimated billing.
The energy board is also investigating Nova Scotia Power’s estimated billing process after several customers reported inflated bills since the breach in March.
What’s not in the report
In addition to the redactions, there are some omissions in the incident report submitted to the energy board.
The board wanted Nova Scotia Power to include a review of its policies for collecting and retaining personal information after it was reported some customer’s social insurance numbers were compromised in the breach.
The utility didn’t provide much detail in the report, stating it is “working to enhance its overall privacy governance framework,” and the company’s privacy officer will be responsible for clarifying expectations of employees when it comes to data and privacy.
The report also didn’t provide an update on the amount of money Nova Scotia Power still owes multiple contractors.
Some contractors that have worked for Nova Scotia Power recently are owed hundreds of thousands of dollars and the utility blamed the cyberattack for the delays.
Nova Scotia Power plans to provide an update on the outstanding dues in early February.
MORE TOP STORIES