Canada's privacy commissioner looking into Nova Scotia Power ransomware attack

Canada’s privacy commissioner has started an investigation into a March data breach and ransomware attack at Nova Scotia Power that resulted in the theft of personal information of some 280,000 subscribers.

“We are actively engaging with the organization to ensure that it is taking appropriate steps to respond to the incident,” Commissioner Philippe Dufresne said in a statement Wednesday, “and my immediate focus is on ensuring that the company is effectively addressing the breach and protecting the personal information of its customers. This includes breach containment, notification and measures to reduce risks to those affected.”

The statement comes after the utility confirmed Friday that the attack came from a ransomware gang. It is still restoring IT systems and investigating the compromise. No ransom has been paid.

Although the attack seems to have started March 19th, it wasn’t detected until April 25th.

Stolen data has been published. Depending on the customer it includes name, phone number, email address, mailing and service addresses, Nova Scotia Power program participation information, date of birth, and customer account history (such as power consumption, service requests, customer payment, billing, and credit history, and customer correspondence), driver’s license number, Social Insurance Number and for some customers who signed up for pre-authorized payments, their bank account numbers — in other words, almost everything a crook needs to impersonate a person.

That’s what a Nova Scotia couple who lost $30,000 from their bank account suspect happened on May 14th. According to CTV News, the bank told them their account had been accessed the day before by someone claiming to be the wife, with all of her information in hand. On May 23rd the couple received a letter from Nova Scotia Power stating their personal information had been compromised in the cybersecurity breach.

There are several ways a threat actor can breach an organization’s security controls: Guessing, cracking or buying an adminstrator’s login credentials, tricking an IT employee of a company or a third-party provider into giving away their credentials, exploiting a vulnerability in an unpatched IT device such as a file server or VPN, finding a list of customers and their data created by an employee and insecurely stored in the cloud, … the list goes on. However, even with a username and password defences such as the mandatory use of multi-factor authentication or biometrics for logins by employees with data access should blunt that kind of unauthorized entry. Data encryption is another tool for blunting data theft.

Despite international law enforcement successes disrupting the IT infrastructure of some ransomware gangs — this week an Iranian man pleaded guilty in the U.S. to being part of a crew that deployed the Robbinhood strain — ransomware remains a threat that makes the hair of CISOs (and CEOs) turn grey. Among the most recent organizations hit are U.K. retailers Marks and Spencer, Harrods, the supermarket chain the Co-operative Group, Oregon’s environment department and an Ohio healthcare centre.

It’s not just businesses and government IT departments. Operational technology (OT) networks with internet-connected devices that run factories and pipelines are also being targeted. Dragos, a provider of cybersecurity systems for OT networks reported this month that it recently found 12 new ransomware actors targeting industrial firms.

The NCC group says reported ransomware attacks dropped last month compared to previous months. But that’s reported attacks. Experts know cyber attacks are under-reported.

What IT and security leaders shouldn’t do is give up. Instead they need to present the case to CEOs of the need for more resources to tighten their defences.

As I’ve written before there’s lots of free advice on defending against ransomware from the national cybersecurity agencies in the U.S., the U.K., Canada and other countries, the Center for Internet Security. Look also at the Blueprint for Ransomware Defence.