At least 100,000 Nova Scotians affected by cybertheft of government employee files

Nova Scotia's Minister of Cyber Security and Digital Service Colton LeBlanc said Tuesday that information taken by the
Nova Scotia's Minister of Cyber Security and Digital Service Colton LeBlanc said Tuesday that information taken by the

Cybercriminals made off with the personal and banking information of at least 100,000 Nova Scotians last week, before the Nova Scotia government secured a file transfer service that had been breached as part of a global attack on MOVEit.

Nova Scotia's Minister of Cyber Security and Digital Service Colton LeBlanc provided that number Tuesday as part of an update on the investigation into the cybertheft, which he first disclosed on Sunday.

"100,000 people, 100,000 Nova Scotians being employees, current or past employees of Nova Scotia Health, the IWK, as well as the provincial civil service, have been impacted," LeBlanc told reporters during a virtual briefing. "We still have more work to do and as that work unfolds, that number could go up or it could go down."

The minister said the information taken by the "cybercriminals" was payroll data that was transferred between departments, including banking details, home addresses and social insurance numbers.

British Airways, the UK drugstore chain Boots and Britain's BBC have also been hacked by criminals exploiting a weakness in the same MOVEit software used in Nova Scotia, Reuters news service reported Monday. That's affected tens of thousands of their employees.

Although the province said it acted as soon as it was notified of a possible vulnerability in the MOVEit service on June 1, the department's deputy minister Natasha Clarke confirmed that the software patch to plug the digital hole was applied after the data was taken.

"Our investigation showed that the the stolen data that took place the two days prior to us being notified that there was a vulnerability." said Clarke. "So once we put the patching in place, there was no more nefarious activity that we were able to see as a part of our investigation."

Investigation continues

Clarke said there was no evidence, so far, that any information provided by the public to any government department had been taken by those who broke into the government computers.

"That investigation is ongoing," said Clarke. "I think the approach we're taking here is not letting perfect be the enemy of good."

"What's important is we want to be confident, come out with good information and be as transparent to Nova Scotians knowing that we don't have all of the answers.

Despite being responsible for the breach, the senior bureaucrat defended MOVEit as a "world class or in the top of the software solutions" that provide this kind of file transfer service. She did acknowledge, given the circumstances, her statement might seem ironic.

The provincial government is promising to contact those affected "as soon as possible" and offering them access to a credit monitoring service.

Union worried about risk

Sandra Mullen, president of the Nova Scotia Government and General Workers Union, said the province's largest public sector union only learned of the magnitude of the breach minutes before the minister spoke to reporters.

"We were pretty concerned when we heard rumblings of a privacy breach," Mullen told CBC News. "The numbers are huge, from what they're saying and it impacts many of our members, potentially myself included."

Mullen said her union had not yet heard from any member who has lost money or otherwise suffered as a consequence of their personal information being in the hands of someone else.

Mullen pledged to make sure the provincial government moved quickly to notify individuals whose "critical" information had been taken.

"We will do our best to make sure that they are responding as fast as they can, in a safe manner and working hard to ensure that information is protected in the future," said Mullen.

Microsoft security experts have said the hackers are affiliated with the notorious Clop ransomware group.

Rob McLeod, the vice-president with cybersecurity company eSentire's Threat Response Unit, said the group has done this before, affecting a large number of organizations globally.

"This group has done this in the past. It's taken several months for them to actually go through this data, look for any sort of high-value victims or customers in that, and then directly contact them," McLeod told CBC Radio's Information Morning Nova Scotia on Wednesday.

He said victims could be at risk of identity theft and tax-based scams, so they should take advantage of the credit monitoring service offered by the province.

"I would say this is an early warning indicator for the 100,000 affected victims. They're still going to need to keep a very close eye on all of their banking information, all of their credit information, also their [Canada Revenue Account]," he said.

Other stolen data

In recent years, the Nova Scotia government has dealt with at least two major data breaches. In August 2020, Nova Scotia Health reported on eight of its own employees for snooping into the electronic health records of individuals associated with the events of the April 2020 shooting rampage in the province.

In 2018, two people accessed close to 7,000 documents posted on the province's Freedom of Information access website. Those documents were requested by 740 individuals but were available to others because the website had a design flaw that could allow others to access the material.