Earlier this year, staff at Nova Scotia Power submitted a proposal to upgrade their cybersecurity. The privately owned company, which supplies most of the province’s electricity, had gone three years since an internal threat assessment flagged key vulnerabilities, specifically the power plants and substations that fed the grid. If approved, the work would have wrapped by year’s end.

They never got the chance. Just three weeks after the proposal was submitted, hackers struck. But not to sabotage infrastructure. Instead, they made off with the personal data of at least 280,000 customers: emails, phone numbers, home addresses, bank details—enough for determined malcontents to impersonate individuals and wreak havoc. Then came the shakedown. The company insists it didn’t pay, and some of the plundered information was posted online. A few weeks after the attack was made public, a Nova Scotia couple, and clients of the utility, logged into their bank account and found $30,000 gone.

Nova Scotia Power is hardly an outlier. Ransomware gangs have turned public institutions into easy prey, breaking in, locking files, and holding them hostage for money. Refuse, and the information goes public. High-profile breaches include Alberta Dental Service Corporation and the Toronto District School Board.

The situation in the private sector is, if anything, more dire. Eighty-three percent of Canadian businesses surveyed by Telus in 2021 reported experiencing a ransomware attack. Nearly half admitted they paid up. In a recent report, the Canadian Centre for Cyber Security warns that ransomware is now “the top cybercrime threat facing Canada’s critical infrastructure,” with the average payout in 2023 exceeding $1 million. The wider toll is staggering: in 2024, Canadians lost more than $600 million to fraud and cybercrime—most of it tied to identity fraud, made possible by the kind of personal data stolen in the Nova Scotia Power attack.

While Canada has been slow to adapt to the threat, ransomware has raced ahead in the past five years, turbocharged by pandemic-related security challenges and advances in artificial intelligence.........

© The Walrus