Skip to main content

MOVEit cybersecurity breach cost Nova Scotia nearly $4M


On the eve of the anniversary of a massive, world-wide cybersecurity breach, the Nova Scotia government says the response to the MOVEit hack cost the province $3.8 million.

The breach occurred May 30 and May 31, 2023, and affected multiple organizations and millions of people around the globe.

The online hack involved a file transfer service called MOVEit, which is used by the private sector and governments, including Nova Scotia.

The software is made by Burlington, Massachusetts-based company Ipswitch and allows organizations to transfer files and data between employees, departments and customers.

In a news release Wednesday promoting the final report into the online hack, Nova Scotia’s minister in charge of Cyber Security and Digital Solutions said the province has learned a number of lessons from the MOVEit breach.

“We made changes immediately, and we’ll continue to strengthen our defences to keep Nova Scotians’ information as safe as we can,” said Colton LeBlanc.

After the U.S. company initially notified the government of Nova Scotia of a critical vulnerability within its system, the province took the service offline and issued more than 168,000 notification letters Security updates were installed, allowing for the province to bring the service back online.

In its release, the Nova Scotia government says the province is committed to further action on the evolving issues around cybersecurity.

“I’d love to be able to say we will never face another cybersecurity breach,” LeBlanc said. “Cyber threats are unfortunately a reality in the world we now live in. Everyone – governments, private companies and people – are all at risk. We must take steps to protect ourselves.”

According the province, an analysis of the breach confirmed stolen files contained sensitive personal information such as social insurance numbers and banking details for some employees, as well as the personal health information of 1,923 patients.

The province sent out more than 168,000 notification letters to Nova Scotians whose personal information was caught up in the breach. Credit monitoring from TransUnion was offered to those whose sensitive personal information was stolen and some 30,000 people signed up for the service.

Up to this point, the province says it has not been made aware of anyone who has had their personal information used inappropriately as a result of the MOVEit breach.

Last August, the province said certified teachers born in 1935 or later were among those whose personal information was stolen, which included personal details about deceased people.

In June 2023, a group known as Clop, which claimed to be behind the attack, said they deleted all the stolen data from governments, cities, and police services but are keeping information from private companies.

Cybersecurity expert Scott Beck told CTV News Wednesday this breach showed that in this day and age, it’s not a matter of if it will happen, but when.

“How well you respond determines how bad the impacts will be,” he said. “While It’s important to try and prevent incidents from occurring, it’s even more important to detect when something doesn’t look right so you can respond quickly to minimize the impacts.”

Beck said while this incident shows the province has room to improve, Nova Scotia took the right steps after the fact.

Nova Scotia continues to use MOVEit, which it says is essential to delivering core government services. However, in its final report, the province said there is enhanced security within the file transfer system.

Other final report recommendations include:

  • Improving how data is classified and managed.
  • Ensure enhanced capacity to respond to large-scale breaches.
  • Requiring all staff to take mandatory cybersecurity awareness training every year.

For more Nova Scotia news visit our dedicated provincial page. Top Stories

Stay Connected