August 16, 2025 Nova Scotia Power has been publicly reprimanded for requesting secrecy in the investigation of its recent ransomware attack, raising concerns about transparency in how the incident is handled.
The Nova Scotia Energy Board, overseeing the inquiry, rejected NSP’s push for confidential handling of key details—including the breach’s origins, scope and timeline—despite the company’s stated need to protect sensitive data. The Board insists the process must be as open as possible while safeguarding personal information.
The incident exposed personal details of approximately 280,000 customers, including social insurance numbers that NSP had not yet deleted from its systems. At least 140,000 customers were confirmed to have had SINs compromised in the breach.
Many customers voiced frustration in public submissions. One wrote:
“My private information was released on the internet… The notice of the cyber breach came two months after the breach occurred… this entire incident was handled poorly.” Another noted that credit monitoring activation codes failed to work, further eroding trust.
The Energy Board has demanded detailed disclosures from NSP. Areas for full public reporting include a breach timeline, systems affected, type of personal data exposed, the attack’s root cause, mitigation steps taken, and recommendations for future prevention.
While NSP has cooperated with investigations by both the Energy Board and the Office of the Privacy Commissioner of Canada, the pushback over its secrecy request highlights growing public concern. Nova Scotians are calling for a transparent response—not just behind closed doors.
