Nova Scotia identifies thousands of stolen records in global security breach

HALIFAX — Officials in Nova Scotia have identified thousands of files stolen in a global data breach affecting the personal information of at least 100,000 people in the province.

Cybersecurity and Digital Solutions Minister Colton LeBlanc said Friday that a number of current and former teachers were victims of the hack, as were students, inmates and even some newborn babies.

Earlier this week, LeBlanc said the breach of the MOVEit file transfer system, which the province uses to transfer employee payroll information, had affected current and former employees of the public service, including those at Nova Scotia Health and the IWK hospital. The information stolen included social insurance numbers, addresses and banking information.

Advertisement

On Friday, LeBlanc said more people had been affected including members of the public who are not part of the public service, although he was reluctant to give a new overall estimate.

“A teacher could also be a former employee of the civil service or also could have had a parking ticket through the Halifax Regional Municipality,” the minister said. “So one individual could be impacted in a number of different ways.”

LeBlanc said the stolen information includes 55,000 records with names, addresses, dates of birth and years of service involving past and present teachers. Some 26,000 students aged 16 and older had information stolen, including their dates of birth, student ID numbers and civic and mailing addresses — data that was stored in a database shared with Elections Nova Scotia.

Among the others affected by the security breach are 5,000 short-term accommodation owners, 3,800 people who applied for jobs with Nova Scotia Health, and 1,400 Nova Scotia pension plan recipients.

Forty-one babies born between May 19 and 26 had their information stolen, including last names, health card numbers, dates of birth and their dates of discharge from hospital.

Advertisement

The province has said it will contact the people affected and offer them a free credit-monitoring service.

“Some of the details are still being worked out,” LeBlanc said. “Our plan is to start sending letters as soon as next week and that (credit service) information will be included.”

He warned people to be aware of scammers and said when the province reaches out to notify people it won’t be asking for such things as health card information, social insurance numbers or banking information.

The department’s deputy minister, Natasha Clarke, said that while the focus was still on the extent of the breach, a full examination of what happened would be conducted to help shore up the province’s software systems.

“The focus right now is doing that analysis and being as transparent as we can with Nova Scotians,” Clarke said.

Advertisement

Officials later released information showing the province’s contracts for MOVEit date back to 2010 and that the current contract for the software’s licences is through a standing offer with IMP Solutions that was signed in 2020 and costs $30,000 a year.

The current contract expires on May 31, 2024, with options to renew at one-year increments.

MOVEit software is made by Massachusetts-based company Ipswitch and allows organizations to transfer files and data between employees, departments and customers. Parent company Progress Software confirmed a vulnerability in its software last week, saying the issue could lead to potential unauthorized access of users’ systems and files.

The Nova Scotia government has said it was first informed of a critical vulnerability within its system June 1.

This report by The Canadian Press was first published June 9, 2023.

Advertisement

Keith Doucette, The Canadian Press