Canadian electric utility Nova Scotia Power has shared a list of the types of personal and financial information that were stolen as part of the recently disclosed cybersecurity incident.
The intrusion was announced to the public by Nova Scotia Power and its parent company Emera in late April, and on May 1 it was revealed that hackers had stolen some customer information.
The company highlighted that the incident did not cause any disruption to electricity generation, transmission and distribution facilities.
In an update shared on May 14, Nova Scotia Power said customer information stored on compromised servers was accessed and taken on or around March 19.
The stolen information includes one or more of the following types of data: name, date of birth, phone number, email address, mailing and service addresses, as well as data such as power consumption, service requests, and payment, billing, and credit history.
Driver’s license numbers and Social Insurance Numbers were also compromised, and in some cases — for customers who provided such information — the attackers also obtained bank account numbers shared for pre-authorized payments.
Nova Scotia Power says it does not have evidence of misuse of the compromised information — this is something that a majority of companies say when suffering a significant data breach — but it has decided to provide two years of free credit monitoring services to impacted individuals as a precaution.
It’s unclear how many individuals are impacted. The company provides electrical power to approximately 550,000 customers.
It’s also still unclear whether Nova Scotia Power was targeted in a ransomware attack. No known ransomware group has taken credit for the incident by the time of writing.
If this was indeed a ransomware attack, it’s possible that Nova Scotia Power has not been listed on any leak website because it decided to pay a ransom, or because it’s still negotiating with the cybercriminals.
The utility did not want to share any information outside of what has been posted on its website.
Related: Australian Human Rights Commission Discloses Data Breach
Related: Marks & Spencer Says Data Stolen in Ransomware Attack
Related: Security Firm Andy Frain Says 100,000 People Impacted by Ransomware Attack