NSPower Cybersecurity Incident

Posted on: June 2nd, 2025 at 5:55pm

Here we go again, no fault of of mine, the 3rd or 4th time my identity and so many details about me have been stolen and published on the Internet.

It's disgusting how many organizations are ignorant about their customer's personal information. It's also worse than its basically a "Whoops, our bad.", here's two years of credit monitoring service even though the details of you are out there forever, and you are now vulnerable for the rest of your life.

In March of 2025, seemly after a few public calls from Emera that they need more budget for cybersecurity defenses, they noticed a month later and began notifying customers that over half of their customer base has been dumped, ransomware'd and random demanded (though not paid). It's actually a good thing Emera did not pay the threat actors, as I've seen time and time again, organizations paying the thief of the promise that data would be erased and an unlock key would be provided, seems to fall on deaf ears. Look at the PowerSchool breach, I believe they paid the ransom and the data was published on the dark web anyways.

Compounding this bullshit, is the fact Quebec is the only province in Canada that mandates actual "Credit Freezes" for TransUnion and Equifax. Where as the other provinces, those companies only have to provide "Credit Alerts", which is a small line of text on an individual's credit report stating the lender should contact the number provided. But they are not required by law to do so. I found this out when I applied for credit when Equifax was hacked, and I put on credit alerts. I told the lender about them, and they said "no problem, we can skip that requirement".

Now in Canada, we have the "Personal Information Protection and Electronic Documents Act" (PIPEDA), which I interact with daily through my line of work. This law gives normal citizens some privacy rights including the ability to request the information an organization stores about us. It's not iron-clad but I've used it multiple times and only had to fight with one organization for a week before they conceded.

So after getting the dreaded and non-personalized letter from Nova Scotia Power, I drafted up a request to NSPower's privacy officer and currently am waiting back for a response as I wanted to know what exact data the threat actor accessed with my profile. I couldn't remember giving them my SIN number but I want to make sure.

Following that here are the steps I've taken and recommend others to consider. Your milage may vary. Do not make yourself an easy target.

  1. Sign up for MyTrueIdentity credit monitoring
    In the letter sent by NSPower, they include a activation code for TransUnion credit monitoring. Funny enough, after enrolling and attempting to sign in, my account was suspended and had to wait until the next business day to call them to unlock it. So do not sign up on a Friday afternoon.

  2. Place an alert on Equifax
    You can do this online or via snail-mail. Both are not instant. Electronic is faster though.

  3. Place an alert on TransUnion
    I also signed up for TransUnion service to put an alert on my file, but they didn't tell me it will cost ~$30 to sign up for your report. I placed the alert, downloaded my report and cancelled the payment.

  4. Sign up for Credit Karma (Transunion) and Borrowell (Equifax)
    Regularly monitor your credit at least on a weekly basis. I've used these services for years. Be proactive and if you notice something fishy, report it immediately.

  5. Call your bank(s) and credit card companies
    If you used your banking to pay your electricity bill, call your bank and get the account(s) you used changed. Criminals can use their transit/routing/account numbers to withdrawal from those accounts. My bank did this for me pretty quickly. Place flags on all your accounts.

    The downside to doing this is you need to redo any services that used pre-authorized debt or direct deposit. So think your employment's direct deposit, your Interac E-Transfer (if you have auto-deposit enabled). Don't forget CRA and any other Service Canada for direct deposits.

    Cancel and re-issue any credit cards used to pay for your bill. I believe this is something that was introduced recently to NSPower's billing platform so it may not be necessary. I've done it anyways.

  6. Call the CRA
    Another fun one. You need to call the Canada Revenue Agency and let them know the situation. This is to prevent criminals from filing fraudulent income tax returns using your information or apply for benefits.

    This would also be a good time to review your "authorized representatives" and remove any you no longer use.

  7. Call your local police
    Get a case number and list all accounts and any other details.

  8. Call your Phone Carrier
    Let them know the situation and make sure you have a note on your file to contact you incase someone tries to social engineer and perform a SIM swap attack. Make sure if they offer PIN protection to have it updated.

    Criminals will attempt to hijack your phone number to bypass SMS 2FA to make it easier to access your accounts.

  9. Be extra cautious
    Do not click on any suspicious attachments or links sent in text messages and/or emails. If you receive phone calls (especially if they say from NSPower/CRA/Service Canada), make sure you hang up and call the real number.

    Any one calling you can provide you their name and/or extension to call back (only the extension, do not trust the phone number). Phone numbers can be and are spoofed.

  10. Change your passwords
    Never use the same password on multiple accounts, or if your extremely lazy, at least have a different passwords for your email address and your banks.

  11. Enable 2FA wherever possible
    Always use multi-factor authentication where possible. For added benefits, use a physical security key like a Yubikey or your phone.

  12. Check your Home Insurance
    Some home insurance policies include identity theft protection. Review yours.

  13. Document everything
    Keep a detailed log with timestamps of everything, including dates of discovery and actions taken.

  14. Contact ALL THE Peoples
    Contact your MLAs, the federal Privacy Office, the Minister of Cybersecurity, whoever. Make your voice heard! Our regulations are severely outdated when it comes to privacy and technology.

  15. Not for the faint-of-heart
    Although you can technically do this, prepare for a long battle if you want to get a new SIN number, drivers license, health card, etc. Good luck!

Hope this helps at least someone!

Join my Newsletter

Sign up to get the occasional email regarding security updates, tricks and news about the landscape of Web Development.

Back to top of page