Cyber Incident Victim: Government of Nova Scotia

On or around June 1, 2023, the Government of Nova Scotia took its MOVEit file transfer tool offline to apply a security update. This action was taken in response to a broader, global vulnerability discovered in the MOVEit software. The following day, on June 2, the system was taken offline a second time to allow for a more thorough investigation into a potential security incident. This investigation confirmed that a cyber security breach had occurred, resulting in the theft of data from the provincial government's systems. The MOVEit application was subsequently updated with security patches, and additional monitoring was put in place once it was returned to service.

The provincial government undertook a significant effort to assess the scope of the data theft by reviewing the stolen files. This process was prioritized based on the level of risk to affected individuals. The investigation revealed a wide-ranging impact across multiple government departments and agencies, affecting both public servants and members of the public. The stolen data encompassed a vast number of records containing various types of personal information. The breach was not contained to a single dataset but was instead fragmented across numerous distinct groups, making a comprehensive assessment challenging.

The breach impacted a substantial number of current and former government employees and public service members. Approximately 55,000 records belonging to past and present certified and permitted teachers in Nova Scotia were stolen. These records contained names, addresses, dates of birth, years of service, and educational background information. Social insurance numbers and banking details were not included in this particular dataset. The list included individuals born in 1935 or later. Furthermore, approximately 3,800 people who had applied for jobs with Nova Scotia Health had their demographic data and employment details stolen; social insurance numbers were also not included in these application records.

A significant number of members of the public were also affected. The data of approximately 26,000 students aged 16 years and older was stolen. This information, which included date of birth, gender, student ID, school, civic address, and mailing address, was in the government's database because it had been shared with Elections Nova Scotia. Approximately 5,000 owners of short-term accommodations listed in the Tourist Accommodations Registry had their information taken, including their names, owner’s addresses, property addresses, and registration numbers. About 1,400 recipients of Nova Scotia pension plans had highly sensitive information stolen, including their names, social insurance numbers, dates of birth, and demographic data. Another 1,085 individuals who had been issued parking tickets by the Halifax Regional Municipality had their names, addresses, and licence plate numbers compromised.

The breach also affected individuals within the justice and correctional systems. Approximately 500 people in provincial adult correctional facilities had their personal information stolen, including their names, dates of birth, gender, prisoner ID numbers, and their status within the justice system. Fifty-four people who had been issued summary offence tickets had their names, driver’s licence numbers, and dates of birth taken.

The healthcare system was notably impacted, with sensitive personal and health information being stolen. About 1,330 people listed in the Department of Health and Wellness client registry had their names, addresses, dates of birth, and health card numbers compromised. At least 150 individuals in the Department of Health and Wellness provider registry, including doctors, specialists, nurses, and optometrists, had their names, addresses, and dates of birth stolen; assessments for this group were ongoing, but the information did not include social insurance numbers or banking details. Approximately 60 people enrolled in the Prescription Monitoring Program had their names, addresses, dates of birth, health card numbers, and personal health information taken. In a particularly sensitive case, information on 41 newborns born between May 19 and 26, 2023, was stolen; this included the last name, health card number, date of birth, and date of discharge from the hospital.

Other, smaller groups were also affected. Approximately 100 Nova Scotia Health vendors had their product and pricing information stolen, though their banking information did not appear to be included. Fifty-four clients of the Department of Community Services had their names, addresses, client ID, and transit pass photos compromised.

The provincial government acknowledged the difficulty in estimating the exact number of unique individuals affected due to the potential for duplicate records across the different datasets. For example, a single individual could be a certified teacher, a civil service employee, and could have also received a parking ticket, thus appearing in multiple breached datasets. The government's stated priority was to complete the assessment of the breach's full extent and to notify all those who were impacted.

The response action from the government included a commitment to directly notify individuals whose sensitive personal information was confirmed to have been stolen. The Province intended to begin sending these notification letters the week following the June 9 update. The offer of credit monitoring and fraud protection services was extended to anyone whose sensitive personal information was stolen, with the specific details of this service to be included in the individual notification letters.

Public communication was a key part of the response. The Minister of Cyber Security and Digital Solutions, Colton LeBlanc, addressed public concern, acknowledging that the new details would cause worry. He stated that no individual or organization is immune from cyber threats or theft and strongly encouraged Nova Scotians to reach out to their financial institutions to flag the risk. The government also provided warnings about potential scammers attempting to prey on people following the incident, explicitly stating that the Province would not ask for social insurance numbers, MSI numbers, banking information, or money during its notification process. The government directed citizens to a dedicated website for updates and information on the breach and provided links to federal resources for protecting social insurance numbers and general cyber safety information.