Cyber Incident Victim: United States Department of Justice

On or around May 19, 2023, a significant data breach occurred involving the MOVEit file transfer tool utilized by the Government of Nova Scotia, Canada. The incident was part of a broader global cyberattack targeting the MOVEit application. The breach resulted in the large-scale exfiltration of sensitive data from provincial government systems. The initial discovery and public acknowledgment of the incident did not occur until later, with the province taking its MOVEit system offline on June 1, 2023, to apply a critical security update. The system was taken offline again on June 2 for further investigation and to conduct a comprehensive assessment of the extent of the data theft.

The provincial government undertook a detailed review of the stolen files to determine the scope and scale of the breach. By May 31, 2023, the Province had identified a wide range of records that were stolen, impacting numerous groups within the public and the public service. The stolen data encompassed a vast array of personal and sensitive information. The breach extended to approximately 55,000 records of past and present certified and permitted teachers in Nova Scotia. The information taken included names, addresses, dates of birth, years of service, and educational background. This dataset did not include social insurance numbers or banking information and covered individuals born in 1935 or later.

Approximately 26,000 students, all aged 16 years and older, were affected. The stolen student data included date of birth, gender, student ID, school attended, civic address, and mailing address. This particular set of information was contained within a database because it had been shared with Elections Nova Scotia. The breach also impacted around 5,000 owners of short-term accommodations listed in the Tourist Accommodations Registry. The information stolen from this registry included the owners' names, their personal addresses, their property addresses, and their registration numbers.

Within the healthcare sector, the breach was particularly severe. It affected approximately 3,800 individuals who had applied for jobs with Nova Scotia Health. Their stolen demographic data and employment details were taken, though social insurance numbers were not included in this dataset. A separate and more sensitive breach occurred involving about 1,400 recipients of the Nova Scotia pension plan. For these individuals, their names, social insurance numbers, dates of birth, and demographic data were confirmed as stolen. The healthcare system impact was further detailed through the compromise of the Department of Health and Wellness client registry, affecting about 1,330 people. The stolen data from this registry included names, addresses, dates of birth, and health card numbers.

The Department of Health and Wellness provider registry was also breached, impacting at least 150 doctors, specialists, nurses, and optometrists, with assessments ongoing at the time of the report. The information taken included names, addresses, and dates of birth but did not include social insurance numbers or banking details. The Prescription Monitoring Program was breached, affecting about 60 people. The data stolen in this instance included names, addresses, dates of birth, health card numbers, and personal health information. A highly specific breach involved 41 newborns born between May 19 and May 26. The information stolen included the newborns' last names, health card numbers, dates of birth, and dates of discharge from the hospital. The government committed to notifying the parents of these infants.

Other government functions were also compromised. Data from 1,085 individuals who had been issued parking tickets by the Halifax Regional Municipality was stolen, containing names, addresses, and licence plate numbers. Approximately 500 people in provincial adult correctional facilities had their information taken, including name, date of birth, gender, prisoner ID number, and their status within the justice system. About 100 vendors associated with Nova Scotia Health had product and pricing information stolen; their banking information did not appear to be included. Fifty-four people who were issued summary offence tickets had their names, driver’s licence numbers, and dates of birth stolen. Another 54 clients of the Department of Community Services were affected, with stolen data including names, addresses, client ID numbers, and transit pass photos.

The provincial government acknowledged the challenge in estimating the exact number of individual Nova Scotians affected due to the potential for duplicate records across the different breached datasets. An individual could be a certified teacher, a civil service employee, and could have also received a parking ticket, meaning their information may appear in multiple stolen files. The government's stated priority was to continue assessing the full extent of the breach and to formally notify all those who were impacted. Staff across all government departments were tasked with reviewing the stolen files, with the work being prioritized based on the level of risk to the affected Nova Scotians.

In response to the breach, the Government of Nova Scotia committed to providing credit monitoring and fraud protection services to anyone whose sensitive personal information, such as social insurance numbers or health card numbers, was confirmed as stolen. The details of these services were to be shared in individual notification letters that the Province intended to begin sending out the week following the May 31st update. The Minister of Cyber Security and Digital Solutions, Colton LeBlanc, publicly addressed the concern generated by the disclosure of more detailed information. He stated that no individual or organization is immune from cyber threats or theft and strongly encouraged Nova Scotians to reach out to their financial institutions to flag the potential risk. The government also warned the public that scammers often use such incidents to prey on people and emphasized that the Province would not ask for social insurance numbers, MSI numbers, banking information, or money during its official notification process.

The technical response involved applying security updates to the MOVEit system after taking it offline. Following the initial update on June 1 and the subsequent investigation on June 2, the system was updated and brought back online with additional monitoring measures put in place. The government directed citizens to a dedicated website for ongoing updates and information on the breach, which also included advice for potential victims. This resource, along with information on protecting social insurance numbers and general cyber-safety from the federal government, was provided to assist those affected.