What Happened
Nova Scotia Power, the primary electricity provider for the province of Nova Scotia and a subsidiary of Emera Inc., has confirmed a 2025 cyberattack affected more than 900,000 current and former customers. The Office of the Privacy Commissioner of Canada (OPC) released details of a compliance investigation showing the full scope of the breach far exceeded the initial disclosure figure of 280,000 individuals.
The attack began on March 19, 2025, when a Nova Scotia Power employee clicked a pop-up on a website compromised by the SocGholish malware toolkit, which downloaded and installed malware on the employee’s workstation. From that initial foothold, attackers escalated privileges and obtained domain administrator credentials by April 8, 2025. Over the following two weeks, the threat actor conducted internal reconnaissance and credential harvesting before exfiltrating data between April 23 and April 25, 2025.
Stolen records include driver’s licence numbers, Social Insurance Numbers, and bank account details belonging to approximately 375,000 current customers and 540,000 former customers. As part of the OPC compliance process, Nova Scotia Power pledged to delete all customer Social Insurance Numbers from its systems by the end of March 2026 and to submit an independent external security assessment by October 31, 2026.
Why This Matters for Canadian Organizations
This breach is a case study in how a single employee interaction with commodity malware can result in a months-long intrusion, lateral movement across critical infrastructure, and mass data theft affecting nearly one million Canadians.
SocGholish, also tracked as FakeUpdates, is one of the most consistently active initial access brokers in the threat ecosystem. It operates by injecting fake browser update prompts into compromised legitimate websites. Employees do not need to visit suspicious or obscure sites to encounter it. The malware has been used as the entry point for multiple ransomware affiliates since at least 2018, and its continued effectiveness reflects a gap between user awareness training and real-world browsing behaviour.
For Canadian regulated utilities and critical infrastructure operators, this case has direct implications under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and the proposed Bill C-26 Critical Cyber Systems Protection Act. PIPEDA requires breach notification to affected individuals and to the OPC when there is a real risk of significant harm. The OPC’s public compliance engagement with Nova Scotia Power signals that regulators are actively scrutinising breach timelines, disclosure scope accuracy, and post-incident remediation commitments from infrastructure operators.
The data categories stolen here — Social Insurance Numbers combined with financial account details — create the conditions for identity theft, fraudulent credit applications, and account takeover at a scale that individual victims cannot easily self-remediate. Canadian security teams protecting customer data at this sensitivity level need to treat SIN and financial record exposure as a high-consequence breach category.
What to Do
Review your organisation’s endpoint detection controls for SocGholish and FakeUpdates indicators. Endpoint detection and response tools should flag the JavaScript-based dropper behaviour associated with SocGholish; validate those detections are tuned and active. Audit domain administrator credential usage and enforce privileged access workstations with multi-factor authentication for all accounts with domain admin rights. Lateral movement from a single compromised endpoint to domain admin should be detectable within hours, not weeks. Confirm your PIPEDA breach reporting procedures are documented and tested, including what data categories trigger mandatory OPC notification. If your organisation holds Social Insurance Numbers, financial account data, or government-issued identification numbers, classify those as critical data assets with specific access controls and audit trails. Utilities and critical infrastructure operators should review their Bill C-26 readiness posture, as regulators are demonstrating they will engage publicly on breach response quality.
Source: SecurityWeek
