Canada's cybersecurity head offers rare insight into Nova Scotia Power breach
The utility's computer systems were breached by ransomware hackers on March 19, but Nova Scotia Power did not discover it until April 25. The company disclosed the cybersecurity incident three days after that.
About 280,000 customers — more than half of the utility's customers in the province — were informed by letter that their personal information may have been compromised in the attack. The data included names, addresses, phone numbers, birth dates, driver's licences, social insurance numbers and banking information.
On Thursday, the Nova Scotia Energy Board granted approval to Nova Scotia Power to move forward with a $1.8-million project to improve cybersecurity.
The attack and its aftermath have sparked many questions about the security of the company's IT systems.
Rajiv Gupta, head of the Canadian Centre for Cyber Security, spoke to CBC News in a rare interview about how these types of incidents unfold and what people and organizations like Nova Scotia Power can do to protect themselves.
This interview has been edited for length and clarity:
Can you explain a bit about your agency and what it does?
The Canadian Centre for Cyber Security is really Canada's cyber defence agency. So, we provide advice, guidance and services to critical infrastructure systems of importance to Canada. Work primarily with the federal government is where we had started, but have really grown into critical infrastructure. And our goal is to raise cyber resilience across Canada.
We fall under CSE, which is the Communications Security Establishment, and CSE has a mandate for foreign intelligence, which goes back 80 years in terms of WWII. We report to the minister of national defence.
What do you make of the recent attack against Nova Scotia Power, which did ultimately affect about 280,000 customers?
We don't comment specifically on specific incidents, but as a cyber centre … any critical infrastructure providers that have incidents can report their incidents to the cyber centre. So last year we saw about 1,500 incidents. We see a lot of these, and that's what's really important and kind of sad to understand as well, that this is happening so often in terms of cyber-criminal organizations comprising critical infrastructure organizations in Canada.
Their motivation is money. They would compromise the network. So basically getting their software inside the network, but then stealing all the sensitive information from the organization and … then going ahead and encrypting systems and locking people out of their system. So we used to call that double extortion. So that way the criminal organization could threaten to release sensitive information, unless a ransom was paid, or also basically not give back access to systems unless a ransom was paid. So that was what we're seeing and it was incredibly impactful to system operators within Canada.
In this case, Nova Scotia Power did not pay the ransom that was asked of them. Is that common practice?
What we always do is we provide advice and guidance to organizations and we say, "it's a business decision," because we're not the ones operating their business, and we don't know their exact context, say if it's a threat to life or something else. But we always say, 'Hey there's a lot of downside to paying the ransom.' First of all, you're funding these criminal organizations. So, the more ransom is paid, the more we're going to proliferate this sort of behaviour. At the same point in time, you're paying this ransom to criminals. What's that contract worth in the end anyway? Is there really any guarantee that they're either not going to share the confidential information, or they're actually going to give you the keys to decrypt your systems and get your access back? The proceeds of this can go to criminal or even terrorist type causes as well, so, worrisome in that sense.
Are you able to say whether Nova Scotia Power had actually contacted your agency [following the breach]?
The one thing that I will say is that they did reach out to us. We always recommend that organizations that are victimized reach out to the cyber centre. We've seen many of these in the past and we have advice and guidance to share. And not only can we help the organization in their recovery, and in terms of paying the ransom, ransom might help you unlock your systems, but there's still always recovery costs that are part of this as well, regardless of whether you work with the criminal organization or not. But in this case, they did reach out to us.
And the other thing we always encourage is … we hope that they share information about the compromise as well. Because we can take that and share that with other critical infrastructure organizations in Canada.
Did they share with you the extent of the breach?
We wouldn't go into any details in that sense, but they did notify us of the breach.
Is there any sense of who might have been the perpetrator in this attack from your perspective? Nova Scotia Power says it has a sense of who it is.
I wouldn't comment on that. There's various groups and they often change shapes and forms as they get disrupted. Unfortunately it's an ever-evolving group of cyber criminals that are out there that seem to be performing these behaviours. And we have an assessment out in terms of a cyber criminal activity in Canada as well that kind of points to the groups that we've seen as active.
About 140,000 [social insurance numbers] were included in the stolen data. How serious is this, when that type of personal information is accessed?
I couldn't speak to the seriousness of that type of information, but what I will say is that this is exactly what cyber criminals go after. And depending on the type of information, it'll fetch a different price on the dark web. Organizations will collect personal information, whether it's SIN numbers, or credit card numbers, or health card numbers, other sorts of confidential information. Typically that information gets resold on the dark web for other criminals that are going to actually monetize that for other purposes. It's kind of a not very positive circle that exists on the dark web.
The way this actually works in terms of what we call "cybercrime as a service" is that it's a whole ecosystem of criminal entities that actually work together. And because it's typically run out of operations that are beyond the legal borders — often in Russian speaking countries where law enforcement won't necessarily prosecute — it's very difficult to disrupt these organizations. And even when law enforcement is able to disrupt them, it's fairly easy for them to kind of reconstitute themselves.
What are some of the risks when this personal information is shared on the deep web or dark web?
Once that information is out there, that often just spurs the next cycle of fraud. Whether it's spear phishing emails that are using that information, whether it's leveraging information about an organization or their clients to actually further compromise them. That's why it's really important to take note for everyone to be mindful of the things they can do to protect themselves.
Be extra vigilant of understanding what's being mailed to you and double checking those links and making sure it's coming from an authenticated source and whatnot. Being mindful of content, making sure you have strong authentication in terms of how you're actually accessing applications as well.
What would be your advice to Nova Scotia Power?
Really for all of these organizations, do your due diligence. Understand what your really critical elements are of your organization that would be your worst-case scenario. And then once you know what your worst-case scenario is, then you can defend that. Build the plan according to our ransomware playbook, have the backups in place, and have the strong measures in place.
The utility [Nova Scotia Power] applied for funding about a month before the ransomware attack. They cited the Canadian Centre for Cyber Security's most recent threat assessment, pointing out that power grids are so interconnected that they can be really vulnerable to these types of attacks. What would be the warning signs of an attack like this?
One of the things that we've been very mindful of … as the world gets more hostile, we're worried about impacts to critical infrastructure like electrical guide grids, pipelines, these sorts of things. A lot of them are controlled by systems that were never meant to be connected to the Internet. Nowadays, as people are looking to optimize efficiency, and connect to cloud services and connect sensors to networks, they're becoming more exposed to threat actors from around the world. Normally your electrical grid would only be threatened by people that are actually in the country and nearby, but as soon as you connect it to the Internet, you're pretty much opening a lot of this up to people from anywhere.
We are not a regulator. The cyber centre itself provides advice, guidance and services, but we have no authority over any of these entities. We work voluntarily to provide the best practices.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Globe and Mail
22 minutes ago
- Globe and Mail
Why Stanley Black & Decker Stock Trounced the Market on Tuesday
The latest executive hire by Stanley Black & Decker (NYSE: SWK) continued to be well received on Tuesday, a day after it was announced. This was bolstered by an analyst's price target rise, although that pundit left his rather lukewarm recommendation intact. Stanley Black & Decker's shares ended the day almost 4% higher in price, essentially obliterating the S&P 500 index with its 0.1% decline. Major C-suite changes coming In an endorsement of the ever-popular "promote from within" corporate policy, Stanley Black & Decker announced on Monday that current COO Christopher Nelson will become its CEO on October 1. Nelson, who also serves as the company's president of the tools and outdoor segment, replaces outgoing CEO Donald Allan. Where to invest $1,000 right now? Our analyst team just revealed what they believe are the 10 best stocks to buy right now. Continue » The departing CEO, already on the company's board of directors, will become executive chair of the board on that date. In its announcement of the transition, Stanley Black & Decker felt compelled to mention that it continues to expect its second-quarter GAAP (generally accepted accounting principles) and non-GAAP (adjusted) earnings to come in above its previously released guidance. This is always music to investors' ears. A notable price target lift The day after, prior to market open, Stanley Black & Decker got something of a thumbs-up from an analyst at a top U.S. bank. Joseph O'Dea of Wells Fargo raised his price target on the stock at a double-digit rate, cranking it to $70 per share from his previous $60. That gave its latest moves something of an endorsement, even though O'Dea maintained his equal weight (neutral) recommendation on the stock. Stanley Black & Decker does have a brighter future than that, in my view, but much will depend on the ever-impactful U.S. housing market. If that market can perform well and thrive, we should see quite a positive effect on the company's business. Should you invest $1,000 in Stanley Black & Decker right now? Before you buy stock in Stanley Black & Decker, consider this: The Motley Fool Stock Advisor analyst team just identified what they believe are the 10 best stocks for investors to buy now… and Stanley Black & Decker wasn't one of them. The 10 stocks that made the cut could produce monster returns in the coming years. Consider when Netflix made this list on December 17, 2004... if you invested $1,000 at the time of our recommendation, you'd have $722,181!* Or when Nvidia made this list on April 15, 2005... if you invested $1,000 at the time of our recommendation, you'd have $968,402!* Now, it's worth noting Stock Advisor 's total average return is1,069% — a market-crushing outperformance compared to177%for the S&P 500. Don't miss out on the latest top 10 list, available when you join Stock Advisor. See the 10 stocks » *Stock Advisor returns as of June 30, 2025
Globe and Mail
22 minutes ago
- Globe and Mail
Why Home Depot Stock Edged Higher on Tuesday
On Tuesday, investors continued to digest Monday's news from Home Depot (NYSE: HD) that it had made a fresh acquisition. Meanwhile, several analysts felt compelled to issue updates on the stock, and these tended to be bullish. At the end of Tuesday's trading session, the company's share price was up by nearly 2% on a day when the S&P 500 index dipped by 0.1%. Shopping for large assets Home Depot kicked off the business week by announcing that it had acquired specialty building products distributor GMS via a subsidiary. The price is $110 per share in cash, valuing the equity at around $4.3 billion. Home Depot stated that the purchase will be financed through a mix of cash on hand and debt. The company said that taking on borrowings for it should not affect its goal to return to a leverage ratio of 2 by the end of its fiscal 2026. It added that owning GMS would be accretive to its non-GAAP (adjusted) per share earnings in the first year following the closing of the deal (which is expected by the end of the current fiscal year). Among the Home Depot watchers cheering the deal was Truist Securities' Scot Ciccarelli, who reiterated his buy recommendation on the company's stock and $417 price target. According to reports, Ciccarelli wrote that this is an effective move by the retailer to capture market share in the professional construction and home renovation space. He added that the buy is easily affordable with Home Depot's resources. A good deal The GMS deal seems sensible to me, too, as the professional segment is a large and important one for Home Depot -- not least because such customers (ideally) shop frequently and tend to have higher budgets than more casual consumers. If I were a Home Depot shareholder, I'd be pleased with this move. Should you invest $1,000 in Home Depot right now? Before you buy stock in Home Depot, consider this: The Motley Fool Stock Advisor analyst team just identified what they believe are the 10 best stocks for investors to buy now… and Home Depot wasn't one of them. The 10 stocks that made the cut could produce monster returns in the coming years. Consider when Netflix made this list on December 17, 2004... if you invested $1,000 at the time of our recommendation, you'd have $722,181!* Or when Nvidia made this list on April 15, 2005... if you invested $1,000 at the time of our recommendation, you'd have $968,402!* Now, it's worth noting Stock Advisor 's total average return is1,069% — a market-crushing outperformance compared to177%for the S&P 500. Don't miss out on the latest top 10 list, available when you join Stock Advisor. See the 10 stocks » *Stock Advisor returns as of June 30, 2025
Globe and Mail
23 minutes ago
- Globe and Mail
Why Nike Stock Raced Ahead Today
Athletic apparel and footwear star Nike (NYSE: NKE) notched a stock market victory for its investors on Tuesday with a more than 3% increase in share price. That was due in no small part to an analyst upgrade, accompanied by some rather bullish commentary. Nike's lift was in contrast to the performance of the S&P 500 index, which slumped by 0.1% on the day. From neutral to buy Well before market open, John Staszak of Argus changed his Nike recommendation to buy (from his previous neutral) at a price target of $85 per share. That anticipates upside of more than 15% on the stock's most recent closing price. Staszak is convinced that Nike's present turnaround plan is having positive effects, according to reports, and it should help the company recover. The analyst wrote in his new note on Nike that it had success clearing its inventory in the second half of its fiscal 2025, and its current product lineup is up to date and bringing in customers. In Staszak's view, with these tailwinds at its back, Nike should continue to be a powerful force in the always-competitive athleticwear space. He waxed bullish in particular about its strength in high-end athletic footwear. The latter, he believes, is well supported by effective marketing and the many athlete endorsements it's managed to collect. Fourth-quarter tailwind Nike stock has been on quite a tear since the company published its fiscal fourth-quarter 2025 results last Thursday after market close. Revenue and headline net income were both down on a year-over-year basis, but they beat analyst expectations. Despite that, to me, those declines are concerning, and I'm not yet as convinced as Staszak that Nike is undoubtedly on the road to recovery. I'd be more hesitant to buy the stock than he is. Should you invest $1,000 in Nike right now? Before you buy stock in Nike, consider this: The Motley Fool Stock Advisor analyst team just identified what they believe are the 10 best stocks for investors to buy now… and Nike wasn't one of them. The 10 stocks that made the cut could produce monster returns in the coming years. Consider when Netflix made this list on December 17, 2004... if you invested $1,000 at the time of our recommendation, you'd have $722,181!* Or when Nvidia made this list on April 15, 2005... if you invested $1,000 at the time of our recommendation, you'd have $968,402!* Now, it's worth noting Stock Advisor 's total average return is1,069% — a market-crushing outperformance compared to177%for the S&P 500. Don't miss out on the latest top 10 list, available when you join Stock Advisor. See the 10 stocks » *Stock Advisor returns as of June 30, 2025 Eric Volkman has no position in any of the stocks mentioned. The Motley Fool has positions in and recommends Nike. The Motley Fool has a disclosure policy.
