Cyber Incident Victim: Department of Education and Early Childhood Development

On or around May 30-31, 2023, a cybersecurity breach occurred impacting the Government of Nova Scotia. This incident was part of a larger global cybersecurity breach involving the MOVEit file transfer application. The breach took place before the Province was aware of the vulnerability present in the software. The specific attacker actions and initial access vectors were not detailed in the provided information. The Province became aware of the incident and took the MOVEit application offline on June 1, 2023, to apply a security update. The system was taken offline again on June 2 for further investigation, indicating an ongoing response to the discovered compromise. Following these security measures, the MOVEit system was updated and had additional monitoring put in place.

The investigation into the scope of the breach revealed a significant compromise of data. There were more than 5,800 folders involved in the incident, with each folder containing multiple files and records. The process of identifying all affected individuals was expected to take many weeks due to the sheer volume of data and the complexity of the records. A major challenge in determining the definitive number of impacted individuals was the duplication of names across the various breached files. The total number of affected Nova Scotians was also subject to change as the review of files progressed, with some estimates increasing while others decreased upon closer analysis.

The impact of this incident was widespread, affecting numerous government departments and public organizations. A significant number of employees within the education sector were impacted. Approximately 13,000 active employees of regional centres for education and the Conseil scolaire acadien provincial were affected. This group included teachers, as well as administrative, human resources, and finance staff. The breached information for these individuals included name, address, social insurance number, pension payment amounts, and gender. This was identified as a distinct group from a previously announced list of certified and permitted teachers, though some overlap between the groups was acknowledged.

The breach also compromised sensitive health information. Approximately 480 individuals enrolled in the Prescription Monitoring Program had their data accessed. The compromised data included health card number, personal health information, and demographic information. This figure was an update from an earlier estimate of 60 affected people. Furthermore, just over 100 patients who visited the early labour and assessment unit at the IWK Health Centre had their personal health information breached. The information taken was limited to name, date and time of visit, and reason for visit.

Municipal and financial data was also exfiltrated. About 17,500 water and tax bill accounts with the Region of Queens Municipality were compromised. The information breached included name, address, account number, payment amount, and balance owing. The Province confirmed that this did not include other more sensitive financial information. In a separate instance, Halifax Water notified approximately 25,000 customers that their names and account numbers were part of the breach.

Other specific groups were also impacted. The number of recipients of Nova Scotia pensions whose data was compromised was revised to 900 individuals from an initial report of 1,400. The breached data included name, date of birth, and demographic information. The number of incarcerated individuals whose information was accessed increased to 655 from an earlier figure of 500. The compromised data for this group included prisoner ID number, name, gender, date of birth, and incarceration status. Additionally, five students from a Department of Labour, Skills and Immigration file had their name, address, social insurance number, phone number, and date of birth released. Two other students had their name, institution, and student ID number released.

Elections Nova Scotia’s voters list was also on the MOVEit system, as it was shared with political parties. However, an investigation indicated that this particular file was not compromised. It was reported that the file had been shared in a way that made it inaccessible to the attackers.

The response to the incident involved a coordinated effort across government. The Department of Cyber Security and Digital Solutions led the overall review of files impacted by the breach. Individual government departments and organizations that used the MOVEit application were sent their specific files to review internally. These departments were then responsible for notifying the people affected by the breach based on their own records. This decentralized approach was used to manage the large-scale review and notification process.

By June 14, 2023, the Province announced that significant progress had been made in identifying groups of people and organizations impacted. The investigation was still in its early stages regarding the identification of all affected individuals. Notification letters were scheduled to begin being sent out at the end of that same week. These letters included information about arrangements made for a free fraud protection and credit monitoring service, which was being offered to all impacted individuals. The Province explicitly warned the public that scammers often use such incidents to prey on people and provided assurances that official notifications would not ask for social insurance numbers, MSI numbers, banking information, or money. Public guidance and updates on the breach were provided through a dedicated website, and citizens were directed to federal resources for information on protecting their social insurance numbers and general cyber safety.