NS identifies thousands more victims of global data hack, including school staff

Nova Scotia’s cybersecurity minister Colton LeBlanc says his department has identified thousands more people affected by a recent global data breach, and this week begins the process of notifying the “most vulnerable” victims of the hack .

But LeBlanc told a press conference on Wednesday that it’s difficult to give a precise estimate of how many people were affected by the MOVEit file transfer service breach due to the large number of individuals with duplicate files.

After the cyberattack became public, LeBlanc said on June 6 that as many as 100,000 people in the county had had their personal information stolen, such as social security numbers, addresses and bank information.

The minister said on Wednesday that personal data, including names, addresses and social security numbers, had been stolen from an additional 13,000 active employees at regional education centers and the province’s francophone school board.

Hackers also stole personal information from about 17,500 water and tax bills at the Municipality of Queens in southwestern Nova Scotia, along with data from the Nova Scotia Pension Agency. The county said Halifax Water also notified 25,000 customers that names and account numbers were part of the data breach.

LeBlanc said the county will distribute notification letters to “the most affected vulnerable groups” by the end of this week. Among them are those whose data, including photos, have been leaked from the Department of Community Services. LeBlanc said the county has not yet determined whether the stolen information has been published.

A ransomware group called Clop has claimed to be behind the cyber-attack, but said it had deleted public agency data – something cybersecurity experts say should be treated with skepticism.

“There is no reason for a criminal enterprise to simply delete information that might be of value,” Brett Callow, a threat analyst at cybersecurity firm Emsisoft, said last week. Callow said the data could be sold or traded, or used for phishing, a type of email scam that lures people into sharing personal information.

LeBlanc told reporters the breach affected 5,800 digital directories, each containing “a number of files and records,” but did not specify the total number of people affected, citing “the complexity of manually sifting through all those files.”

Secretary of State Natasha Clarke said some agencies have sent out their own notifications about the data breach, but the Department of Cybersecurity will lead the formal notification process. LeBlanc added that it will likely take weeks or even months to notify everyone involved, something liberal critic Braedon Clark dreaded.

“When you talk about having your social security number, or your bank details in the worst cases, it’s really concerning not knowing for weeks,” Clark told reporters after the press conference.

He said the lack of information could lead to fear, confusion and anxiety among those affected. “I think if people get that information in a timely manner, they get some peace of mind,” he said.

LeBlanc said the county does not plan to hold more briefings on the data breach, but will provide updates through press releases and social media.