Nova Scotia Power’s CEO says up to 140,000 social insurance numbers could have been stolen by cyber-thieves who recently hacked into the utility’s customer records.
Peter Gregg said in an interview Thursday that the privately owned utility collected the numbers from customers to authenticate their identities.
“If there are a number of John MacDonalds, it (the social insurance number) determines which one we (the utility) are talking to,” Gregg said during the interview at the Halifax headquarters of the Emera subsidiary.
On May 23, Gregg said the data of about 280,000 Nova Scotia Power customers was breached in a ransomware attack — more than half of the total. Asked Thursday how many of these records contained the confidential, nine-digit social insurance numbers, Gregg replied, “approximately half.”
Cybersecurity expert Claudiu Popa questions why a utility would need to keep this kind of data about customers for customer authentication purposes.
The founder of the non-profit group KnowledgeFlow says there are less risky ways to identify customers with similar names than to store their social insurance numbers.
Get breaking National news
For news impacting Canada and around the world, sign up for breaking news alerts delivered directly to you when they happen.
“It clearly states on government websites that using one of a person’s most confidential identifiers is not the recommended approach to identifying individuals,” he said in an interview Thursday.
The federal government’s website says the numbers are for work applications and government records, and it advises people not to share them unless it’s legally required.
It also notes that thieves can use the numbers to commit fraud, including attempting to access government benefits and tax refunds.
“There’s an almost infinite number of ways that these numbers can be used in fraud,” said Popa.
Gregg said that the social insurance numbers weren’t required from its customers, and they offered them voluntarily.
The breach of the customer records was first reported in late April, and the company later indicated the first breach was detected in mid March.
Popa has said the company should by now have provided more precise information to each customer about what personal data was stolen, and given explicit warnings about potential harm.
Gregg said that more details will be provided as IT staff and other cybersecurity consultants continue working to obtain the information.
“We want to be careful to say what we know and not what we think,” he said.
“As we get deeper into the investigation and we are able to confirm details, that information will be shared with our customers.”
This report by The Canadian Press was first published May 29, 2025.
© 2025 The Canadian Press
Thieves gain access to about 140,000 social insurance numbers in NS Power database
