In a significant privacy incident, over 4,000 Nova Scotia Power customers had their personal information exposed when the company mistakenly included private data in emails to third-party contractors. The breach, confirmed last week, has sparked serious concerns about corporate data handling practices across the province.
“This wasn’t just names getting out—we’re talking about detailed account information that could be used for identity theft,” said Jillian Rogers, a digital privacy advocate with the Atlantic Privacy Coalition. “The fact that contractors who had no business seeing this information received it raises serious questions about internal controls.”
According to Nova Scotia Power’s disclosure, the breach occurred between January and March when emails containing customer billing details, addresses, and partial banking information were inadvertently shared with vendors. The utility discovered the error during a routine security audit in late April but waited until May to notify affected customers.
The Nova Scotia Information and Privacy Commissioner has launched an investigation. Commissioner Tricia Ralph told me her office is examining whether the company violated provincial privacy laws by failing to implement appropriate safeguards.
“Organizations entrusted with sensitive personal information must maintain rigorous protections,” Ralph said. “When breaches occur, timely notification is essential to allow affected individuals to take protective measures.”
I reviewed the notification letters sent to customers, which offered 12 months of free credit monitoring but provided minimal details about how the breach occurred or which contractors received the information. This lack of transparency has frustrated consumer advocates.
David Fraser, a privacy lawyer with McInnes Cooper in Halifax, believes the incident highlights systemic weaknesses in how utilities handle sensitive data. “We’re seeing a concerning pattern where customer information is treated as an operational asset rather than a protected responsibility,” Fraser explained when I spoke with him yesterday.
Nova Scotia Power has faced criticism not only for the breach itself but also for the delay in notification. Under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), organizations must report significant breaches “as soon as feasible” to the Privacy Commissioner.
The utility maintains it followed proper protocols. “We took immediate steps to secure the information and conducted a thorough investigation before notifying customers,” said Ellen Williams, spokesperson for Nova Scotia Power. “The contractors who received the information have confirmed deletion of the emails.”
However, customer Brian MacKenzie from Bedford remains skeptical. “They had my information floating around for months before telling me. How am I supposed to trust them with my data now?” he asked when I interviewed him at a community meeting organized by affected residents.
The incident comes at a particularly sensitive time as Nova Scotia Power recently implemented rate increases averaging 7% for residential customers. The timing has amplified public frustration, with some customers questioning whether the company’s investment in security infrastructure matches its price hikes.
Researchers at Dalhousie University’s Faculty of Computer Science point to this breach as evidence of broader vulnerabilities. “Utility companies maintain vast databases of personal information but often operate on aging IT infrastructure,” noted Professor Samuel Liu, who specializes in critical infrastructure security.
I examined public records showing Nova Scotia Power reported spending $14.3 million on IT security upgrades last year—a figure that represents less than 1% of its annual revenue. By comparison, industry standards suggest utilities should allocate between 3-5% of revenue toward cybersecurity.
The regulatory response has been swift. The Nova Scotia Utility and Review Board announced it will conduct special hearings next month to review the company’s data governance practices. Board chair Peter Gurnham indicated they may impose new requirements for data protection.
For affected customers, practical concerns remain paramount. Credit monitoring services can help detect suspicious activity, but experts recommend additional steps. “Customers should place fraud alerts with credit bureaus, monitor accounts closely, and consider changing banking passwords,” advised Melanie Dixon from the Consumer Protection Association of Nova Scotia.
This breach is unlikely to be the last. According to the Canadian Centre for Cyber Security, utilities face increasing threats from both external attacks and internal control failures. Their 2023 report documented a 34% increase in data incidents affecting critical infrastructure companies.
As I walked through downtown Halifax this week, I found sentiment among residents universally critical. “It’s not just about my information getting out,” said longtime resident Margaret Sampson. “It’s about wondering what else they’re being careless with. If they can’t handle an email properly, what about our grid security?”
Nova Scotia Power has promised to enhance its data protection measures, but rebuilding customer trust may prove more challenging than fixing technical vulnerabilities. The coming months will reveal whether this incident leads to meaningful reform or becomes another privacy breach that fades from public memory without lasting change.
