Nova Scotia Power, the province's largest electrical utility and primary power provider for approximately 500,000 Nova Scotian households and businesses, has confirmed that roughly 900,000 current and former customers were impacted by a cyberattack that occurred in 2025. Canada's Office of the Privacy Commissioner investigated the incident and has mandated that the utility strengthen its security posture following findings from the review. The disclosure, reported March 25, 2026, represents one of the largest utility sector data breaches in Canadian history and underscores persistent security gaps in critical infrastructure operators.

What Happened

Nova Scotia Power experienced a cyberattack in 2025 that resulted in unauthorized access to customer data. The breach affected approximately 900,000 current and former customers — a figure that encompasses the near-totality of the utility's customer base, as Nova Scotia Power serves the overwhelming majority of the province's electricity consumers.

The incident drew scrutiny from Canada's federal privacy regulator. Following an investigation, the Office of the Privacy Commissioner determined that NS Power's security practices were insufficient and has mandated that the utility implement strengthened security measures. The privacy commissioner's intervention signals that the breach was not treated as an isolated technical failure but as evidence of systemic security deficiencies requiring regulatory correction.

NS Power agreed to the security improvement conditions, per the privacy commissioner's statement. The specific remediation requirements have not been fully detailed publicly, but the commissioner's involvement indicates findings related to inadequate data protection controls, insufficient breach detection capabilities, or failure to meet PIPEDA obligations for personal data protection.

The timeline — a 2025 attack with March 2026 public disclosure and regulatory resolution — suggests either an extended forensic investigation, a protracted regulatory process, or delayed notification, any of which carries its own compliance implications under Canadian privacy law.

What Was Taken

The specific data categories exposed have not been fully enumerated in public disclosures. For a utility of NS Power's profile, the compromised dataset almost certainly includes:

• Customer identity data — names, service addresses, mailing addresses, and contact information for 900,000 accounts
• Account and billing data — customer account numbers, billing histories, payment records, and rate plan details
• Social Insurance Numbers — utilities in Canada routinely collect SINs for credit check purposes at account opening; their presence in this dataset would significantly elevate fraud risk
• Banking and payment information — pre-authorized debit details, credit card data (depending on storage architecture), and PAD agreement information
• Energy consumption data — smart meter and usage records, which can reveal occupancy patterns and lifestyle information
• Former customer records — the inclusion of former customers extends the breach window backward, potentially years, and covers individuals who may no longer expect to be in NS Power's active database

The breadth of the impacted population — 900,000 in a province of approximately 970,000 people — means this breach functionally covers almost every Nova Scotian with an electricity account.

Why It Matters

Critical infrastructure operators occupy a unique position in the threat landscape: they hold large volumes of consumer PII while simultaneously operating systems whose disruption carries physical consequences for public welfare. NS Power is not just a data custodian — it is the entity that keeps hospitals powered, homes heated, and emergency services operational across an entire Canadian province.

This breach demonstrates a pattern that regulators in Canada, the US, and Europe are increasingly confronting: utilities that have invested heavily in operational technology but underinvested in IT security and data governance. The privacy commissioner's decision to mandate security improvements — rather than simply issuing a finding — reflects growing regulatory impatience with utilities that treat customer data protection as a secondary concern.

The 900,000-person scale also illustrates the concentration risk inherent in provincial utility monopolies. Unlike a retail breach where customers have alternatives and can simply take their business elsewhere, Nova Scotians have no alternative power provider. They cannot opt out of NS Power's data systems. The absence of competitive choice makes robust regulatory enforcement the only meaningful check on security standards.

For the broader critical infrastructure sector, the NS Power breach adds to a mounting body of evidence that threat actors — whether ransomware groups, state-sponsored actors, or opportunistic criminals — are actively targeting utilities for their combination of sensitive consumer data and operational leverage.

The Attack Technique

The attack vector has not been publicly disclosed by NS Power or the privacy commissioner. Utility sector breaches of this type commonly involve:

• Internet-facing customer portal compromise — utility self-service portals are internet-accessible, frequently run legacy web application stacks, and hold direct database access to customer records; SQL injection, authentication bypass, and credential stuffing are documented attack vectors against this infrastructure class
• Phishing and business email compromise — large utilities with distributed workforces are frequent phishing targets; a single compromised employee credential with access to billing or customer management systems can expose the full customer database
• Third-party or vendor access exploitation — utilities contract extensively with metering companies, billing platform vendors, and field service providers; compromised vendor credentials with customer system access are a documented initial access pathway
• OT/IT boundary crossing — while this breach appears to have affected the IT and customer data side rather than operational technology, the interconnection between billing systems, smart meter infrastructure, and grid management systems creates lateral movement risk that defenders must continuously evaluate

The privacy commissioner's mandate for security improvements suggests the investigation identified specific control failures rather than simply bad luck — likely pointing to inadequate access controls, insufficient monitoring, or delayed detection capabilities.

What Organizations Should Do

1. Segment customer data systems from operational technology networks — the IT/OT boundary in utilities is a critical security control; customer billing databases and smart meter management systems should be isolated from grid control infrastructure with monitored, strictly controlled interfaces
2. Implement continuous monitoring and anomaly detection on customer database access — bulk data access, unusual query patterns, and off-hours administrative activity against customer records should trigger immediate alerts; the extended timeline typical of utility breaches suggests detection failures that better monitoring would address
3. Conduct a full audit of third-party vendor access to customer systems — utilities grant extensive system access to metering vendors, billing platforms, and field service contractors; inventory all active vendor credentials, enforce least-privilege access, and implement just-in-time access provisioning for vendor connections
4. Establish a clear breach notification timeline and practice it — Canadian PIPEDA requires notification to the privacy commissioner of breaches posing real risk of significant harm; utilities should have pre-drafted notification templates, defined escalation paths, and practiced tabletop exercises covering breach discovery-to-notification workflows
5. Treat former customer records with the same security posture as active accounts — this breach included former customers, whose records are often migrated to lower-security archival systems; data minimization and secure deletion policies should define maximum retention periods for inactive customer records, with cryptographic deletion of PII at end of retention
6. Engage your national CERT and sector-specific ISAC proactively — the Canadian Centre for Cyber Security (CCCS) and the Electricity ISAC provide threat intelligence and incident response support specific to the energy sector; utilities that have not established pre-incident relationships with these bodies should do so before the next attack, not after

Sources

• CTV News — NS Power says 900K current, former customers impacted by 2025 cyberbreach