Beyond the Breach: Nova Scotia Power’s Cyber Crisis Sparks Deeper Questions on Trust and Accountability

Nearly a year after a significant cyberattack disrupted operations at Nova Scotia’s primary electricity provider, the fallout continues to unfold. What began as a cybersecurity incident has now evolved into a broader examination of governance, transparency, and public trust. The province’s energy regulator has confirmed that its inquiry into the March 2025 attack on Nova Scotia Power will proceed in two separate phases one focused on the technical dimensions of the breach, and another on billing practices and data governance.

The attack reportedly exposed the personal information of approximately 280,000 customers. Company officials indicated that the incident was likely carried out by a Russia-based actor, underscoring the growing geopolitical dimension of cyber threats targeting critical infrastructure. However, the technical breach is only part of the story.

The Nova Scotia Energy Board has determined that a second investigation is necessary to assess how the utility collected and stored customer data, as well as how it calculated estimated power bills after losing communication with smart meters during the incident. This dual-track approach reflects the reality that cyberattacks rarely affect only IT systems they ripple into operations, customer service, billing, and ultimately public confidence.

In the months following the attack, customers reported spikes in their electricity bills, with some alleging consecutive charges within short periods. Provincial leaders publicly questioned the methodology behind the estimates, calling for clarity and accountability. Utility representatives explained that the system estimates usage based on seasonal patterns, with “cold month” calculations beginning in November. However, the abrupt adjustments and communication gaps have fueled frustration and legal scrutiny.

The situation has escalated beyond regulatory review. A proposed class-action lawsuit alleges failures in data governance, responsiveness, and billing accuracy, affecting hundreds of thousands of customers. Meanwhile, the Office of the Privacy Commissioner of Canada is also examining the breach, adding another layer of oversight. At the same time, the utility has proposed residential rate increases, further heightening public sensitivity to the issue.

This unfolding crisis highlights a broader lesson for utilities and other operators of critical infrastructure: cybersecurity resilience must extend beyond perimeter defenses. It must encompass data governance, operational continuity, billing integrity, and transparent communication. When cyber incidents intersect with essential services such as electricity, the impact is immediate and deeply personal for customers.

The upcoming hearings will examine not only the technical safeguards in place prior to the attack, but also recovery measures, staff training, and enhancements implemented since then. Just as importantly, the second inquiry will assess how customer information was handled and what protections were put in place to guard against fraud and identity theft.

For organizations observing this case, the takeaway is clear. Cybersecurity is no longer an isolated technical function it is a core component of operational and reputational risk management. Continuous monitoring, proactive vulnerability assessments, strong governance frameworks, and well-rehearsed incident response plans are essential to prevent a breach from escalating into a prolonged crisis.

In this evolving landscape, many organizations are turning to Managed Security Service Providers such as Directpath Global Technologies (DGT) to strengthen their posture. DGT supports enterprises through services including mobile threat defense, extended detection and response, vulnerability assessment and penetration testing, next-generation firewalls, SOC 2 readiness, vulnerability risk management, web application firewalls, virtual CISO support, and operational technology security. Its advanced artificial intelligence division further enables tailored strategies that integrate cybersecurity with broader operational resilience.

As Nova Scotia’s inquiries proceed, one message resonates beyond provincial borders. Critical infrastructure providers must treat cybersecurity not merely as compliance or risk mitigation, but as a foundation of public trust. When that trust is tested, the consequences reach far beyond systems and servers they affect livelihoods, finances, and confidence in the institutions that power daily life. Source: The Globe and Mail