On Tuesday, the province of Nova Scotia announced that 100,000 public employees had their personal and banking data stolen in the MOVEit hack. Today, the province announced that the ongoing investigation of the hack has discovered that additionally, tens of thousands members of the public had their data stolen.
- about 55,000 records of past and present certified and permitted teachers in Nova Scotia, including name, address, date of birth, years of service, and educational background. The information does not include social insurance numbers or banking information. The list includes people born in 1935 or later.
- about 26,000 students, aged 16 years and older, including date of birth, gender, student ID, school, civic address and mailing address. This information was in the database because it was shared with Elections Nova Scotia.
- about 5,000 short-term accommodations owners in the Tourist Accommodations Registry. The information stolen included name, owner’s address, property address, and registration number.
- about 3,800 people who applied for jobs with Nova Scotia Health, including their demographic data and employment details. Social insurance numbers were not included.
- about 1,400 Nova Scotia pension plan recipients. Their names, social insurance numbers, dates of birth, and demographic data were stolen.
- 1,085 people issued Halifax Regional Municipality parking tickets. Names, addresses, and licence plate numbers were stolen.
- about 500 people in provincial adult correctional facilities; name, date of birth, gender, prisoner ID number, and status in the justice system were stolen.
- about 100 Nova Scotia Health vendors, including product and pricing information. Vendors’ banking information does not appear to be included.
- 54 people issued summary offence tickets; names, driver’s licence numbers and dates of birth were stolen.
- 54 clients of the Department of Community Services, including names, addresses, client ID and transit pass photos.
- about 1,330 people in the Department of Health and Wellness client registry, including name, address, date of birth, and health card number.
- at least 150 people in the Department of Health and Wellness provider registry, including doctors, specialists, nurses, and optometrists. Assessments are ongoing. The information taken includes names, addresses, and dates of birth. It does not include social insurance number or banking information.
- about 60 people with the Prescription Monitoring Program, including names, addresses, dates of birth, health card numbers, and personal health information.
- 41 newborns born between May 19 and 26. Information stolen includes last name, health card number, date of birth, and date of discharge. Parents will be notified.
It’s impossible to put an exact number on the number of people affected, as a person can fall into more than one category — for example, a former school teacher might also have a pension plan and have gotten a parking ticket — and there’s no central provincial database for all citizens.
The province will contact each person affected by the hack via the contact information that was hacked, so it’s possible one person could be getting multiple letters and/or emails notifying them of the hack. People affected will be provided with free credit monitoring.
And what of the hackers?
“We have not been asked for ransom,” said Colton LeBlanc at a press briefing with reporters on Friday. “We indicated that previously the organization that’s claiming to be leading this, this cyberattack is a group of organized criminals — they are cyber criminals. The day that government starts doing business with organized crime, we certainly have to be reconsidering our priorities as a province. We will not be engaging with with cyber criminals.”
The province has a contract worth hundreds of millions of dollars with IBM to operate the government’s SAP system, which includes a file transfer component, so why was MOVEit needed in the first place?
“I think I’m not necessarily going to do a deep dive on the technical architecture on all the different systems that SAP might need to communicate with,” replied Natasha Clarke, the Deputy Minister of Cyber Security and Digital Solutions. “So sometimes it might be that, yes, SAP can facilitate that, but perhaps other systems on the receiving end cannot. So there are many different technical reasons why you would use a service like this that, that we’re not going to necessarily get into because, again, we can’t necessarily reveal those details publicly about our technical architecture.”
Nova Scotia Health began using the MOVEit system on April 30, 2021. It’s unclear when other governmental departments started using MOVEit.
Asked for details of the financing of MOVEit, Department of Health spokesperson Khalehla Perrault replied:
Provincial contracts for MOVEit date back to 2010. The current contract for MOVEit licenses is through government’s standing offer software provider, IMP Solutions and was signed in 2022. It costs the Province $30,000 a year. This contract expires on May 31, 2024, with options to renew at one-year increments.
The Examiner also asked if the province is considering legal action against Ipswitch or its parent company. LeBlanc said the focus is now on identifying the stolen data and notifying people.
This article has been updated with information about the contract for MOVEit.