At least 100,000 Nova Scotians affected by cybertheft of government employee files

Cybercriminals made off with the personal and banking information of at least 100,000 Nova Scotians last week, before the Nova Scotia government secured a file transfer service that had been breached as part of a global attack on MOVEit. 

Nova Scotia's Minister of Cyber Security and Digital Service Colton LeBlanc provided that number Tuesday as part of an update on the investigation into the cybertheft, which he first disclosed on Sunday.

"100,000 people, 100,000 Nova Scotians being employees, current or past employees of Nova Scotia Health, the IWK, as well as the provincial civil service, have been impacted," LeBlanc told reporters during a virtual briefing. "We still have more work to do and as that work unfolds, that number could go up or it could go down."

The minister said the information taken by the "cybercriminals" was payroll data that was transferred between departments, including banking details, home addresses and social insurance numbers.

British Airways, the UK drugstore chain Boots and Britain's BBC have also been hacked by criminals exploiting a weakness in the same MOVEit software used in Nova Scotia, Reuters news service reported Monday. That's affected tens of thousands of their employees.

Although the province said it acted as soon as it was notified of a possible vulnerability in the MOVEit service on June 1, the department's deputy minister Natasha Clarke confirmed that the software patch to plug the digital hole was applied after the data was taken.

"Our investigation showed that the the stolen data that took place the two days prior to us being notified that there was a vulnerability." said Clarke. "So once we put the patching in place, there was no more nefarious activity that we were able to see as a part of our investigation."

Clarke said there was no evidence, so far, that any information provided by the public to any government department had been taken by those who broke into the government computers.

"That investigation is ongoing," said Clarke. "I think the approach we're taking here is not letting perfect be the enemy of good."

"What's important is we want to be confident, come out with good information and be as transparent to Nova Scotians knowing that we don't have all of the answers.

Despite being responsible for the breach, the senior bureaucrat defended MOVEit as a "world class or in the top of the software solutions" that provide this kind of file transfer service. She did acknowledge, given the circumstances, her statement might seem ironic.

The provincial government is promising to contact those affected "as soon as possible" and offering them access to a credit monitoring service.

Sandra Mullen, president of the Nova Scotia Government and General Workers Union, said the province's largest public sector union only learned of the magnitude of the breach minutes before the minister spoke to reporters.

"We were pretty concerned when we heard rumblings of a privacy breach," Mullen told CBC News. "The numbers are huge, from what they're saying and it impacts many of our members, potentially myself included."