Cyber Incident Victim: Elections Nova Scotia

On or around May 30-31, 2023, a cybersecurity breach occurred involving the MOVEit file transfer tool used by the Government of Nova Scotia. This incident was part of a larger global cybersecurity breach affecting the MOVEit application. The Province of Nova Scotia was unaware of the vulnerability in the software at the time the breach took place. The specific attacker actions and initial access vectors were not detailed in the provided information. The breach was detected, and on June 1, 2023, the MOVEit system was taken offline by the Province for a security update. The following day, on June 2, it was taken offline again to allow for a further investigation into the incident. Following these security measures, the MOVEit system was updated, and additional monitoring was put in place.

The investigation into the breach revealed that more than 5,800 folders on the system were involved, with each folder containing multiple files and records. The process of reviewing these files to identify impacted individuals and data was complex and time-consuming. The Department of Cyber Security and Digital Solutions led the overall investigation, while individual government departments and organizations that used the MOVEit tool were sent their specific files to review. This process was necessary for each entity to identify affected individuals within their purview and to conduct notifications accordingly. The duplication of names across different files made it challenging to determine a definitive number of unique individuals impacted, and the total number of affected people changed as the file review progressed.

The scope of the breach was significant, impacting various groups of Nova Scotians and several distinct government departments and public bodies. A major group affected was the educational sector, with approximately 13,000 active employees of regional centres for education and the Conseil scolaire acadien provincial being impacted. This group included teachers, administrative staff, human resources personnel, and finance staff. The compromised information for these individuals included names, addresses, social insurance numbers, pension payment amounts, and gender. This was separate from a previously announced list of certified and permitted teachers, though some overlap was noted.

The healthcare sector was also impacted. The Prescription Monitoring Program had about 480 individuals affected, an increase from an initial report of 60 people. The breached data included health card numbers, personal health information, and demographic information. Furthermore, just over 100 patients who visited the early labour and assessment unit at the IWK Health Centre had limited personal health information compromised, including their name, date and time of visit, and reason for visit.

Municipal data was also exposed in the incident. The Region of Queens Municipality had approximately 17,500 water and tax bill accounts breached. The information involved included names, addresses, account numbers, payment amounts, and balances owing; other financial information was not included in this particular dataset. In a separate notification, Halifax Water informed approximately 25,000 customers that their names and account numbers were part of the breach.

Other specific groups were identified as the investigation continued. The number of recipients of Nova Scotia pensions whose data was compromised was adjusted to 900 from an initial figure of 1,400. The information involved for pensioners included name, date of birth, and demographic information. The number of incarcerated individuals whose data was accessed increased to 655 from an initial count of 500. The compromised data for prisoners included prisoner ID number, name, gender, date of birth, and incarceration status. A file from the Department of Labour, Skills and Immigration was also breached, impacting five students whose names, addresses, social insurance numbers, phone numbers, and dates of birth were released, and two other students who had their names, institutions, and student ID numbers released.

One notable dataset that was on the MOVEit system was the Elections Nova Scotia voters list. This file was placed on the system so it could be shared with political parties as part of the electoral process. However, the investigation indicated that this particular file was not compromised. It was reported that the file had been shared in a way that made it inaccessible to the attackers.

By June 14, 2023, the Province announced that significant progress had been made in identifying impacted groups. The investigation was still in its early stages regarding identifying every specific individual affected. The process of sending formal notification letters to Nova Scotians was set to begin at the end of that week. These letters were to include information about arrangements made for a free fraud protection and credit monitoring service, which the government urged all impacted individuals to register for. The Province publicly advised all Nova Scotians to be vigilant by monitoring their financial transactions, changing passwords regularly, and taking steps to protect themselves from identity theft. A specific warning was also issued that scammers often use such incidents to prey on people, and the Province clarified that it would not ask for social insurance numbers, MSI numbers, banking information, or money when notifying impacted individuals.

The full extent of the breach was not immediately known, and officials stated that it would take many weeks to identify all affected individuals and complete the process of sending out notification letters. The Province established a dedicated website to provide ongoing updates and information on the breach, including advice for potential victims. This resource was available at novascotia.ca/privacy-breach. Additional guidance was directed to federal resources for protecting social insurance numbers and general cyber-safety information. The response was coordinated under the leadership of Cyber Security and Digital Solutions Minister Colton LeBlanc, who communicated the government's actions and updates to the public.