The provincial government has identified more people whose personal information was stolen through the MOVEit global cybersecurity breach.
They include 13,000 current public school teachers and staff, about 100 patients who visited the early labour and assessment unit at the IWK Health Centre, and 17,500 water and tax bill accounts with the Region of Queens Municipality.
“To be clear, all of this is in addition to the groups of people announced in our news conferences last week — civil servants, staff at Nova Scotia Health, IWK, certified teachers, Community Services clients, and incarcerated people,” Cyber Security and Digital Solutions Minister Colton LeBlanc said during a media briefing Wednesday afternoon.
LeBlanc said “significant progress” has been made identifying those affected by the breach. He said his department was confident all groups of Nova Scotians whose sensitive personal information was stolen have been identified.
Starting at the end of this week, the province will begin sending notification letters to those affected. The letters will provide information required to register for a free fraud protection and credit monitoring service.
“I’m expecting it to take many weeks…There’s many records. There’s also the risk of duplication,” LeBlanc said of the timeframe for sending letters. “But we’re not going to let that get in our way. Nova Scotians may receive more than one letter.”
LeBlanc said they’ll begin by sending letters to one of the most vulnerable groups impacted. That group, he elaborated, included Department of Community Services clients whose stolen data included photos and personal information.
‘May be the first time, but likely not the last’
The province will continue sending letters to everyone affected in the weeks ahead.
“This may be the first time the department has faced this issue. But make no mistake, it likely won’t be the last. I hope that Nova Scotians are taking this very seriously,” LeBlanc said.
“I hope they’re watching closely. I urge everyone to watch their financial transactions, update their software and operating systems, and change their passwords. Install multi-factor authentication. It’s important.”
Files that were compromised during the cybersecurity attack were also sent to individual government departments and organizations that use MOVEit. This was to allow them to review the files and notify people.
As an example, the department said Halifax Water notified about 25,000 customers that their names and account numbers were impacted by the breach.
“We’ve been working extensively with a number of different partners, I think somewhere upwards of 20 different partners. So, that includes 11 provincial departments,” Natasha Clarke, Deputy Minister of Cyber Security and Digital Solutions, told reporters.
Those partners include the municipalities of Queens and HRM, the Nova Scotia Pension Agency, regional centres for education and the Conseil scolaire acadien provincial (CSAP), Elections Nova Scotia, IWK Health Centre, and Nova Scotia Health.
Exact number affected unknown
LeBlanc said pinning a definitive number on how many Nova Scotians have been affected is challenging.
While the initial number was estimated at 100,000, LeBlanc said the breach involved more than 5,800 folders, each containing multiple files and records. As files are reviewed, the number shifts.
“For example, the number of recipients of Nova Scotia pensions whose name, date of birth and demographic information were compromised has changed to 900 from the 1,400 reported last week,” notes a provincial media release.
“Also, the number of incarcerated Nova Scotians whose prisoner ID number, name, gender, date of birth and incarceration status were compromised has increased to 655 from 500.”
LeBlanc said Wednesday’s update was the last planned news briefing on the cybersecurity issue. He said the public will be updated regularly via the province’s website, news releases, and on social media where appropriate.
“Our focus is on the notification process and encouraging people to take advantage of the free credit and fraud monitoring services,” LeBlanc said.
“This breach has come at a rough time for so many in our province. I know this has added worry and stress at a time when people didn’t need it.”
Latest groups and people impacted by the breach:
Since the last update on June 9, the following members of the public and the public service were identified by the province as having been affected by the breach:
— about 13,000 active employees of regional centres for education and the Conseil scolaire acadien provincial (CSAP). This includes teachers, as well as administrative, human resources, and finance staff. Information breached includes name, address, social insurance number, pension payment amounts, and gender. This is different from the list of certified and permitted teachers announced Friday, June 9, although there may be overlap.
— about 480 individuals in the Prescription Monitoring Program. This includes health card number, personal health information, and demographic information. This is an update to the 60 people announced Friday.
— about 17,500 water and tax bill accounts with the Region of Queens Municipality, including name, address, account number, payment amount, and balance owing. This does not include other financial information.
— just more than 100 patients who visited the early labour and assessment unit at the IWK Health Centre. The personal health information breached was limited — name, date and time of visit, and reason for visit.
— five students from a Department of Labour, Skills and Immigration file have had their name, address, social insurance number, phone number, and date of birth released; two students have had their name, institution, and student ID number released.
Elections Nova Scotia’s voters list was also on MOVEit so it could be shared with political parties. But this file was shared in a way that made it inaccessible, and the investigation has indicated it was not compromised.
Updates and information on the breach — including advice for potential victims — is available here.
I know it’s not his fault, but this massive data breach happened on his watch. Therefore, Mr. Leblanc should resign as Minister in charge of data security. Why do we need a Minister for that anyway?