Nova Scotia Power Hack: 915,000 Customers Exposed by One Click

In April 2025, a single employee at Nova Scotia Power clicked a malicious pop-up. That one moment was enough to expose the personal data of approximately 915,000 current and former customers, according to findings from the Privacy Commissioner of Canada. The breach is a stark reminder that even large, critical infrastructure providers are not immune to social engineering attacks, and that your personal data is only as safe as the weakest link in any organization that holds it.

What Data Was Exposed

The scope of information compromised in this breach is significant. Affected customers may have had the following data exposed:

  • Full names
  • Phone numbers
  • Email addresses
  • Mailing addresses
  • Dates of birth
  • Customer account histories, including payment records, billing history, and credit history
  • Bank account numbers
  • Driver's license numbers
  • Social Insurance Numbers (SINs)

That is not a minor data leak. A combination of bank account numbers, SINs, and driver's license numbers gives bad actors nearly everything they need to commit identity fraud or open fraudulent accounts in someone's name. The fact that this data was sitting in the systems of a utility provider, a company most people interact with simply to keep the lights on, underscores how broadly our sensitive information is distributed across organizations we rarely think about.

How a Pop-Up Brought Down a Power Company's Defenses

The attack method here was not sophisticated malware deployed by a nation-state. It was a malicious pop-up, the kind of thing most of us have encountered while browsing the web. One employee clicked it, and that was enough to open a door into Nova Scotia Power's systems.

This is social engineering in its most basic form. Attackers do not always need to break through firewalls or bypass encryption. Often, the easiest path is a human one. A convincing pop-up, a fake login prompt, or a well-crafted phishing email can bypass layers of technical security in seconds.

Large organizations invest heavily in perimeter security, but user behavior remains one of the hardest variables to control. No IT department, regardless of budget or expertise, can guarantee that every employee will make the right call every time. That is not a criticism of Nova Scotia Power's staff; it is simply the reality of how these attacks work. They are designed to be convincing, and they are designed to exploit the brief moment when someone's guard is down.

What This Means For You

If you are a current or former Nova Scotia Power customer, you should take the following steps seriously:

Monitor your accounts. Check your bank statements and credit reports for any unusual activity. In Canada, you can request a free credit report from Equifax and TransUnion.

Watch for phishing attempts. With your email address, name, and account history now potentially in the hands of attackers, you may become a target for highly personalized phishing emails. Be skeptical of any message that asks you to click a link or provide information, even if it appears to come from a trusted source.

Enable multi-factor authentication (MFA) everywhere you can. MFA adds a second layer of verification to your accounts, making it significantly harder for someone to access them even if they have your password.

Consider a credit freeze. If you are concerned about identity fraud, a credit freeze with Canadian credit bureaus can prevent new accounts from being opened in your name without your explicit authorization.

Practice data minimization going forward. Think carefully about what personal information you share with any service, and provide only what is strictly necessary.

It is also worth reflecting on a broader point: you cannot control how every organization stores or protects your data. Utility providers, insurers, retailers, and healthcare providers all hold pieces of your personal profile. When one of them is breached, the fallout lands on you. This is why layering your own privacy protections matters, not because it prevents a company from being breached, but because reducing your overall exposure limits the damage when breaches do occur.

Taking Your Own Privacy Seriously

The Nova Scotia Power breach is a useful prompt to audit your own digital habits. Using a VPN like hide.me encrypts your internet traffic and masks your IP address, which helps protect your online activity from being observed or intercepted, particularly on public or unsecured networks where malicious pop-ups and phishing redirects are more common. It will not stop a utility company from being hacked, but it is one practical piece of a broader privacy strategy.

Pair a VPN with strong, unique passwords for every account, MFA wherever it is offered, and a healthy skepticism toward unsolicited messages, and you have a meaningful defense against many of the downstream risks that come from breaches like this one.

Companies will continue to be targeted. Employees will sometimes click the wrong thing. The question is how prepared you are when that happens.