Cyber Incident Victim: Halifax Water

On or around May 29, 2023, the Province of Nova Scotia was affected by a global cybersecurity breach targeting the MOVEit file transfer application. The incident was discovered as part of a wider international attack, and an immediate investigation was launched by the provincial Department of Cyber Security and Digital Solutions. The initial phase of the investigation focused on identifying which files stored on the compromised MOVEit system had been accessed and which individuals and organizations were impacted. The scale of the breach was significant, affecting a wide range of government departments, public services, and utility customers across the province. The investigation was described as being in its early stages, with the full scope still being determined as files were meticulously reviewed.

The breach impacted numerous distinct groups within Nova Scotia. A major cohort affected was the public education sector, with approximately 13,000 active employees of regional centers for education and the Conseil scolaire acadien provincial having their information compromised. This group included teachers, administrative staff, human resources personnel, and finance staff. The breached data for these individuals was particularly sensitive, encompassing names, addresses, social insurance numbers, pension payment amounts, and gender. This list was considered separate from a previously announced group of certified and permitted teachers, though some overlap between the two groups was acknowledged.

Healthcare information was also exposed in the incident. The Prescription Monitoring Program was impacted, with the number of affected individuals rising from an initial estimate of 60 to approximately 480 people. The compromised data for this group included health card numbers, personal health information, and demographic details. Furthermore, just over 100 patients who had visited the early labor and assessment unit at the IWK Health Centre were notified that their personal health information was breached. The data exposed in this case was limited to names, dates and times of their visit, and the reason for their visit, constituting a breach of personal health information.

Local government and utility services were not immune to the breach. The Region of Queens Municipality reported that approximately 17,500 water and tax bill accounts were impacted. The information accessed included names, addresses, account numbers, payment amounts, and outstanding balances. The municipality confirmed that no other financial data was compromised in this exposure. Separately, Halifax Water undertook its own notification process, informing approximately 25,000 of its customers that their names and account numbers were part of the data breach on the MOVEit system.

The breach also extended to smaller, more specific groups. Data from a Department of Labour, Skills and Immigration file was released, impacting five students. The information exposed for these individuals included names, addresses, social insurance numbers, phone numbers, and dates of birth. An additional two students had their names, institutions, and student ID numbers exposed. The provincial correctional system was also affected, with the number of incarcerated individuals impacted rising from an initial count of 500 to 655 people. The data compromised for prisoners included their prisoner ID numbers, names, genders, dates of birth, and their incarceration statuses.

One area confirmed to be unaffected was the electoral system. While the Elections Nova Scotia voters list was present on the MOVEit system for the purpose of sharing with political parties, it was determined that the file had been shared in a specific manner that rendered it inaccessible. The investigation concluded that this particular file was not compromised in the breach.

The provincial response was coordinated by Cyber Security and Digital Solutions Minister Colton LeBlanc. The primary response action was the issuance of notification letters to all individuals whose information was confirmed to be part of the breach. The mailing of these letters was scheduled to begin at the end of the week following the May 31st announcement. Each letter contained information about free fraud protection and credit monitoring services that the province had arranged for all impacted individuals. The Minister publicly urged every affected Nova Scotian to register for these services to protect themselves from potential identity theft and fraud.

A significant challenge for investigators was accurately determining the total number of unique individuals affected. Due to the widespread duplication of names across the various breached files, providing a precise count of impacted Nova Scotians proved difficult. Furthermore, the number of affected individuals was described as continually fluctuating as the file review process continued. This was evidenced by updates to previously announced figures; for instance, the number of recipients of Nova Scotia pensions whose data was compromised was revised downward from 1,400 to 900 people. The data exposed for pensioners included names, dates of birth, and demographic information. The process of review was delegated to individual government departments and organizations that utilized the MOVEit system; these entities were sent their respective files to conduct their own analysis and to carry out the responsibility of notifying the affected individuals. The investigation remained ongoing as these reviews proceeded.