Cyber Incident Victim: Halifax

On or around June 1, 2023, the Government of Nova Scotia took its MOVEit file transfer application offline to apply a security update. This action was taken in response to a newly discovered vulnerability. The application was taken offline again on June 2 for further investigation into a potential security incident. This investigation confirmed a significant data breach. The Province subsequently undertook a detailed assessment to determine the scope and scale of the stolen records. The breach was not isolated to a single department but extended across multiple government bodies, affecting both members of the public and public service employees.

The investigation revealed a wide range of stolen personal information from various sectors. Approximately 55,000 records belonging to past and present certified and permitted teachers in Nova Scotia were compromised. The stolen data included names, addresses, dates of birth, years of service, and educational background. This list included individuals born in 1935 or later. The information did not include social insurance numbers or banking details. Approximately 26,000 students aged 16 years and older also had their information stolen. This data included date of birth, gender, student ID, school, civic address, and mailing address. This information was present in the database because it had been shared with Elections Nova Scotia.

The breach impacted approximately 5,000 owners listed in the Tourist Accommodations Registry. The stolen information consisted of names, the owner’s address, the property address, and the registration number. Approximately 3,800 individuals who had applied for jobs with Nova Scotia Health had their demographic data and employment details stolen; social insurance numbers were not included in this data set. About 1,400 Nova Scotia pension plan recipients had highly sensitive information stolen, including their names, social insurance numbers, dates of birth, and demographic data.

A specific municipal impact was identified, with 1,085 people who had been issued Halifax Regional Municipality parking tickets having their names, addresses, and licence plate numbers stolen. The justice system was also affected, with data on approximately 500 people in provincial adult correctional facilities being taken. This information included name, date of birth, gender, prisoner ID number, and status in the justice system. A further 54 people who were issued summary offence tickets had their names, driver’s licence numbers, and dates of birth stolen. Fifty-four clients of the Department of Community Services had their names, addresses, client ID, and transit pass photos compromised.

The healthcare system suffered a significant privacy breach due to this incident. About 1,330 people in the Department of Health and Wellness client registry had their names, addresses, dates of birth, and health card numbers stolen. At least 150 individuals in the Department of Health and Wellness provider registry, including doctors, specialists, nurses, and optometrists, were impacted. The information taken included names, addresses, and dates of birth but did not include social insurance numbers or banking information. Assessments for this group were stated as ongoing. About 60 people enrolled in the Prescription Monitoring Program had their names, addresses, dates of birth, health card numbers, and personal health information stolen. Forty-one newborns born between May 19 and May 26, 2023, had information stolen including last name, health card number, date of birth, and date of discharge. The parents of these infants were to be notified.

The Province acknowledged the challenge in estimating the exact number of individual Nova Scotians affected because some records may belong to the same person across multiple compromised datasets. For example, an individual could be a certified teacher, a civil service employee, and a recipient of a Halifax parking ticket. The government's stated priority was to assess the full extent of the breach and to notify all those impacted. Staff across all government departments were engaged in reviewing the stolen files, with the work being prioritized based on the level of risk to the individuals involved.

The government's response included a commitment to provide credit monitoring and fraud protection services to anyone whose sensitive personal information was confirmed as stolen. Details of these services were to be included in individual notification letters. The Province intended to begin sending these notification letters the week following the June 9 update. Public communications warned citizens that scammers often use such incidents to prey on people and emphasized that the Province would not ask for social insurance numbers, MSI numbers, banking information, or money during its notification process.

Minister of Cyber Security and Digital Solutions Colton LeBlanc stated that providing more detailed information would cause concern but that no individual or organization is immune from cyber threats or theft. He strongly encouraged Nova Scotians to reach out to their financial institutions to flag the risk. The MOVEit application was updated with security patches and additional monitoring was put in place after the investigation. The government directed the public to a dedicated website for updates and information on the breach, including advice for potential victims. General advice was provided, suggesting that Nova Scotians who think they may have been hacked should immediately change passwords and update any versions of browsers, apps, and software on their devices. People were also advised to watch their banking and credit card records closely and to consider notifying their financial institutions as a precautionary measure.