As many as 100,000 Nova Scotians may have had sensitive personal information stolen in a global privacy breach affecting a file transfer system used by the provincial government, officials confirmed Tuesday.
Cybersecurity and Digital Solutions Minister Colton LeBlanc said a government investigation indicates social insurance numbers, addresses and banking information of current employees of the public service, as well as those at Nova Scotia Health and the IWK hospital, were taken.
LeBlanc says some information may also have been stolen from former public service and health authority employees. He said the information was shared through the MOVEit file transfer service, which the province uses to transfer employee payroll information.
“The investigation remains underway so there is the potential for this number to go up or to go down,” the minister said. “I know this is an alarming situation, but rest assured we are working hard to solve this quickly and efficiently.”
LeBlanc said the province is working to contact those affected and will be offering them a free credit monitoring service. ”But when we are talking 100,000 Nova Scotians, that’s going to be a challenge,” added LeBlanc, who pointed out some people’s contact information may have changed over the years. He also urged current and former employees to look for suspicious transactions and to contact their banks.
The department’s deputy minister, Natasha Clarke, said that at this point there is no indication that any of the information compromised came from members of the public who were not provincial employees.
MOVEit software is made by Massachusetts-based company Ipswitch and allows organizations to transfer files and data between employees, departments and customers. Parent company Progress Software confirmed a vulnerability in its software last week, saying the issue could lead to potential unauthorized access of users’ systems and files.
The Nova Scotia government has said it was first informed of a critical vulnerability within its system on Thursday. The province took the service off-line and installed a security update before bringing it back online Friday, only to be told further investigation was needed. Cybersecurity experts were then called in on Saturday evening.
Clarke confirmed the investigation indicates that the data was stolen two days before the Nova Scotia government learned of the vulnerability. “So once we put the patching in place there was no more nefarious activity that we were able to see,” she said.
Microsoft Threat Intelligence has said in a tweet that the Lace Tempest hacking group, which is known for running the Clop extortion site, exploited that vulnerability.
LeBlanc would not confirm who had hacked into Nova Scotia’s system, adding that “I am not going to comment on interactions with criminals.” But Clarke said the government “at this point in time” is not negotiating with the hackers.
“Now the focus is understanding the impact of the data that has been stolen, and we have not been asked for any ransom,” she said.
The deputy minister said the government has been working with its internal security team as well as with outside experts, including an unnamed large private firm that the province has on retainer. Clarke said Nova Scotia is also working with the Canadian Centre for Cyber Security.
In an email, MOVEit said it disabled web access to protect customers and developed the security patch and gave it to customers within 48 hours of discovering the vulnerability.
“We are continuing to work with industry-leading cybersecurity experts to investigate the issue and ensure we take all appropriate response measures,” the company said. “We have engaged with federal law enforcement and other agencies with respect to the vulnerability.”
This report by The Canadian Press was first published June 6, 2023.