Nova Scotia Power Confirms Disruption from Ransomware Attack

Nearly a month after first disclosing a cyber incident, Nova Scotia Power has confirmed it was the target of a sophisticated ransomware attack. The breach, initially revealed on April 28, escalated when the company acknowledged on May 1 that hackers had accessed customer data.  

By May 14, the utility confirmed that sensitive personal information—including names, contact details, service history, billing records, driver’s license numbers, Social Insurance Numbers, and bank account details—had been compromised.

Despite the severity of the data theft, Nova Scotia Power stated that electricity generation, transmission, and distribution operations remained unaffected, SecurityWeek reports.

The utility emphasized that no ransom was paid, citing legal considerations and law enforcement guidance. However, the attackers have published stolen data, prompting the company to work with cybersecurity experts to evaluate the scope and nature of the exposure.

As of the most recent update on May 23, the identity of the ransomware group remains unknown, and the stolen data’s location has not been linked to any known leak site. Nova Scotia Power is notifying approximately 280,000 customers potentially impacted by the breach.  

The incident highlights ongoing concerns about the vulnerability of critical infrastructure providers to ransomware and data theft, even when operational systems remain intact.

Takeaway: The attack on Nova Scotia Power is just the latest reminder that ransomware isn’t about quick hits and simple shakedowns anymore. These operations are strategic, data-driven, and escalating.  

When threat actors exfiltrate customer and infrastructure data, they’re not just stealing data that they hope can be monetized; they’re gathering intel for round two. And this time, they’re aiming to disrupt critical services, not just file access.

We’ve seen this playbook before with Schneider Electric and ENGlobal. When adversaries walk off with detailed engineering designs, operational protocols, or supplier data, they’re doing reconnaissance for more precise strikes against similar targets in the future.  

These are the kinds of assets that keep the lights on in hospitals, fuel flowing to gas stations, and critical supply chains for entire regions. Once exfiltrated, that data doesn’t collect dust—it becomes the foundation for a much more serious campaign of disruption.

And while defenders are still relying on EPP and EDR to catch the bad guys, ransomware operators have already moved on. These crews are leveraging advanced TTPs like BYOVD to sidestep kernel-level protections, unhooking EDR tools from memory, abusing LOLBins, and living off the land to stay hidden. They’re slipping past security like it’s not even there—and often, it’s not, especially in legacy OT and ICS environments.

That’s the real problem. So much of our critical infrastructure still runs on fragile, outdated systems that were never designed to be online, let alone secure. Retrofitting modern security into these environments is like trying to bolt a deadlock onto a cardboard door. The attackers know this, and they’re capitalizing on it.

This isn’t just corporate espionage or financial extortion anymore. It’s national security. And pretending otherwise is just whistling past the graveyard.  

If we don’t raise the cost of these operations—through attack prevention, disruption, and operational resilience, we’re going to keep seeing ransomware tactics evolve faster than we can react, disrupting the very systems we can least afford to lose.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.