This is the second such breach admitted by Nova Scotia Power. This breach has potentially compromised the social insurance numbers of up to 140,000 customers. The New York City incident was originally reported in late April. Cyber criminals acquired the equivalent of 280,000 customer records and social insurance numbers were located in almost half of the compromised files. CEO Peter Gregg provided an update on the situation on May 29, 2025, at 4:08 PM.
It has led to significant criticism about adequate safeguards of sensitive personal identifying information, i.e. PII. Like other utility providers across Canada, Nova Scotia Power faced the need to verify customers’ identities while providing customer-facing online services. Each nine-digit number uniquely identifies contract applications and federal records. This irrefragably underscores the urgent necessity to protect this information. The federal government warns you not to give out your social insurance number unless you are required by law to do so.
Cybersecurity expert Claudiu Popa told Gizmodo he was dubious about the need to collect such highly personal information in order to authenticate someone. His remarks highlight larger concerns about data privacy and the role corporations should play in protecting sensitive consumer data.
In the wake of the breach, the hacked customer records have allegedly already been dumped on the dark web by the cyber-thieves. Not only is this act of malice illegal, it undermines the financial security of every victim. Beyond the immediate impact of the decision, it calls into question the credibility of Nova Scotia Power’s serious commitment to data privacy.
The company has come under fire for its data retention policies, especially given this latest breach. Speculation continues even as investigations remain active. Stakeholders are understandably anxious to learn how such widespread access to customer records came to be and what steps will be taken to ensure this type of breach never happens again.
