Cyber Incident Victim: Department of Labour, Skills and Immigration

On or around May 30-31, 2023, a cybersecurity breach occurred impacting the Nova Scotia provincial government. This incident was part of a larger global cybersecurity breach involving the MOVEit file transfer application. The breach took place before the Province was aware of the vulnerability inherent in the software. The specific attacker actions and initial access vectors were not detailed in the public update, but the compromise was centered on the MOVEit system used by the government for transferring files.

The Province became aware of the incident and took initial response actions. On June 1, 2023, the MOVEit application was taken offline for a security update. Following this initial step, the system was taken offline again on June 2 for further investigation. The application was subsequently updated and had additional monitoring put in place. The investigation into the scope and impact of the breach began immediately, led by the Department of Cyber Security and Digital Solutions. The investigation revealed that there were more than 5,800 folders involved in the breach, with each folder containing multiple files and records.

The breach resulted in the compromise of a significant amount of personal information belonging to various groups across Nova Scotia. The investigation was described as being in its early stages for identifying affected individuals, a process that was anticipated to take many weeks. A challenge in determining the definitive number of impacted individuals was the duplication of names across the breached files. The total number of affected Nova Scotians was also subject to change as the file review process continued.

By June 14, 2023, the Province had made significant progress in identifying specific groups and organizations impacted. The scope of the breach was extensive and affected both members of the public and public service employees. One affected group was approximately 13,000 active employees of regional centres for education and the Conseil scolaire acadien provincial. This group included teachers, administrative staff, human resources staff, and finance staff. The information breached for these individuals included name, address, social insurance number, pension payment amounts, and gender. This was noted as a distinct group from a previously announced list of certified and permitted teachers, though some overlap was possible.

The Prescription Monitoring Program was also impacted, with personal information breached for about 480 individuals. This was an update from an earlier figure of 60 people. The compromised data included health card number, personal health information, and demographic information. The Region of Queens Municipality had approximately 17,500 water and tax bill accounts affected. The information involved for these accounts was name, address, account number, payment amount, and balance owing. The Province confirmed this did not include other types of financial information.

Patients of the IWK Health Centre were also impacted. Just over 100 patients who visited the early labour and assessment unit had limited personal health information breached. This information was confined to name, date and time of visit, and reason for visit. A specific file from the Department of Labour, Skills and Immigration was compromised. This breach affected five students, whose name, address, social insurance number, phone number, and date of birth were released. A further two students had their name, institution, and student ID number released.

The investigation also reviewed the status of the Elections Nova Scotia voters list, which was stored on the MOVEit system so it could be shared with political parties. The file was determined to have been shared in a way that made it inaccessible, and the investigation indicated it was not compromised. Other previously announced figures were revised as the review continued. The number of recipients of Nova Scotia pensions whose information was compromised was adjusted downward to 900 from the 1,400 reported the prior week. The information involved was name, date of birth, and demographic information. Conversely, the number of incarcerated Nova Scotians whose information was breached increased to 655 from 500. The prisoner information compromised included prisoner ID number, name, gender, date of birth, and incarceration status.

The response to the breach included a public notification and offer of support for affected individuals. The Province announced that notification letters would begin to be sent out at the end of the week of June 14. These letters were to include information about arrangements made for a free fraud protection and credit monitoring service. The Minister of Cyber Security and Digital Solutions urged everyone who was impacted to register for the service. The public was also reminded that the Province would not ask for social insurance numbers, MSI numbers, banking information, or money when notifying impacted individuals, as scammers often use such incidents to prey on people.

The process of reviewing files was a collaborative effort. While the Department of Cyber Security and Digital Solutions led the overall review, individual government departments and organizations that used the MOVEit application were sent their specific files to review. These departments and organizations were then responsible for notifying affected people accordingly. One example provided was Halifax Water, which independently notified approximately 25,000 customers that their names and account numbers were part of the breach. The Province established a dedicated online resource to provide updates and information on the breach, including advice for potential victims.