Cyber Incident Victim: Region of Queens Municipality

On or around May 29 and 30, 2023, a global cybersecurity breach occurred targeting the MOVEit file transfer system. This incident impacted the Province of Nova Scotia, which utilized the MOVEit system to transfer large files. The Region of Queens Municipality was subsequently identified as one of the organizations whose files were involved in this provincial breach. The municipality had used the provincial government's MOVEit system for file transfers, which placed its data within the compromised environment. The specific nature of the attacker's actions against the MOVEit system was not detailed in the available information, but the result was unauthorized access to and exfiltration of data files.

The investigation into the scope of the breach was conducted by the Province of Nova Scotia's Department of Cyber Security and Digital Solutions. This process involved reviewing the impacted files to identify affected individuals and organizations. Individual government departments and external organizations that utilized the MOVEit system, including the Region of Queens Municipality, were sent their specific files to review. The municipality worked collaboratively with the province to examine the compromised data. Through this review, it was determined that approximately 17,500 municipal files were impacted. These files pertained to two specific municipal services: tax accounts and the water utility system.

The data exposed in the breach was contained within these account files. The compromised information included account numbers, names, addresses, payment amounts, and outstanding account balances for both tax and water utility accounts. An analysis by the Region of Queens Municipality confirmed that no personal, sensitive, or direct financial information was saved within these particular files and was therefore not exposed. This specifically meant that no social insurance numbers, banking details, or credit card information were part of the data breach. The municipality also noted that phone numbers were not included in the affected files. A challenge in determining the exact number of unique individuals, businesses, and organizations affected was the duplication of names across the various accounts.

The broader provincial investigation revealed that the MOVEit breach impacted a wide array of other groups beyond the Region of Queens Municipality. This included approximately 13,000 active employees of regional centers for education and the Conseil scolaire acadien provincial, whose compromised data included names, addresses, social insurance numbers, pension payment amounts, and gender. Around 480 individuals in the Prescription Monitoring Program were affected, with breached data comprising health card numbers, personal health information, and demographic details. Just over 100 patients of the IWK Health Centre's early labor and assessment unit had their names, dates and times of visit, and the reason for their visit exposed. Information from five students from a Department of Labour, Skills and Immigration file was released, including names, addresses, social insurance numbers, phone numbers, and dates of birth, while two other students had only their names, institutions, and student ID numbers exposed. The number of incarcerated individuals impacted rose to 655, with compromised data including prisoner ID numbers, names, genders, dates of birth, and incarceration statuses. The number of Nova Scotia pension recipients affected was adjusted downward from 1,400 to 900. Other entities, such as Halifax Water, separately notified approximately 25,000 customers that their names and account numbers were part of the breach.

In response to the incident, the Province of Nova Scotia, under Cyber Security and Digital Solutions Minister Colton LeBlanc, took lead on notifications and mitigation efforts. The province announced that notification letters would begin to be sent to impacted Nova Scotians starting at the end of the week following June 14, 2023. These letters provided information about free fraud protection and credit monitoring services that the province had arranged for affected individuals, and recipients were urged to register for these services. The provincial government explicitly stated that its official notifications would not ask for a health card number, social insurance number, banking information, other personal information, or money, and it warned the public to be vigilant against subsequent phishing or scam attempts that might try to exploit the breach.

The Region of Queens Municipality initiated its own public communication on June 15, 2023, to inform residents of its involvement in the breach. The municipality's response included a public statement outlining the type of data that was and was not compromised. It urged the public to be aware of scammers who might use the known information to their advantage. The municipality provided a specific warning that it does not call property owners or water utility customers to request payment information for accounts. It reiterated its official payment channels, which include paying by credit card via a specified phone number, online through its official website, or in person at its Administration Building. Residents were advised to watch their financial transactions and notify their bank if anything was unexpected. The municipality also reminded people not to share personal information over the phone, such as financial details or social insurance numbers, even though such data was not part of the breach. The public was directed to a dedicated website set up by the province for further information as it became available.