Nova Scotian residents personal information stolen in an instance of MOVEit exploit
Learn More
Vicitms of the MOVEit exploited vulnerability are starting to report incidents and data breaches.
The Minister of Cyber Security and Digital Solutions Colton of Nova Scotia announced that a global privacy breach vulnerability of the file transfer service called MOVEit has resulted in the theft of personal information belonging to some residents of Nova Scotia. It's estimated that around 100,000 individuals were impacted.
Upon being alerted by Progress Software Corp. on June 1 about a critical vulnerability, the provincial government swiftly took their instance of the MOVEit service offline, implemented the recommended security update, and subsequently restored the service. However, additional investigation confirmed that the MOVEit instance has been compromised before the patching.
An ongoing manual review of the accessed files is being conducted by staff to determine the extent of the stolen information and its owners. The investigation indicates that the data was stolen two days before the Nova Scotia government learned of the vulnerabilit.
Update
The government of Nova Scotia has shared details of the exposed individuals and data:
- Records of 55,000 past and present teachers in Nova Scotia — including name, address, date of birth, years of service and educational background;
- 26,000 students;
- 5,000 short-term accommodations owners in a tourism registry;
- 3,800 people who applied for jobs with Nova Scotia Health, including their demographic data and employment details;
- 1,400 pension plan recipients;
- 1,000 people that have been issued parking tickets;
- 500 people in correctional facilities;
- 150 people in the Department of Health and Wellness provider registry, including doctors, specialists, nurses.
Additionally the following groups were identified as impacted
- 13,000 employees working at regional centres for education and the province’s francophone school boards
- 17,500 water and tax bill accounts belonging to the Region of Queens Municipality in southwestern Nova Scotia, as well as data from the Nova Scotia Pension Agency.
- 25,000 customers of Utility provider Halifax Water had their names and account numbers in the breach
Anyone whose sensitive personal information was stolen in Nova Scotia will receive credit monitoring and fraud protection services, according to the government.
Affected Nova Scotians will be directly contacted by the provincial government to inform them of the impact, and a dedicated website will be launched to provide relevant details and regular updates on the data breach.
As of the announcement, the government had not received any ransom notifications related to the breach.
