In the wake of a global cybersecurity infringement involving MOVEit, a file transfer service utilized by private sector and government bodies across the globe, over 165,000 letters have been dispatched to the residents of Nova Scotia. The breach, which occurred between May 30 and 31, was initially disclosed by the Nova Scotia government just days after its occurrence.
In an effort to mitigate potential damages from the online hack, the province has expended $2.85 million on credit monitoring services to date. This expenditure is aside from the $240,000 paid to IBM by Nova Scotia as a response to the incident. IBM is retained at a cost of $5,600 per month, ensuring immediate availability should their support be required in wake of such disturbances.
Nova Scotia’s Cyber Security and Digital Solutions Minister, Colton LeBlanc, expressed that the first concern post-discovery of the breach was the swift notification of those affected, thereby enabling them to safeguard their identity promptly. Now that this objective has been achieved, the province’s focus can shift towards learning from this experience and fortifying the measures to protect Nova Scotians’ personal data.
Five years of credit monitoring and fraud protection were offered by the province to individuals whose sensitive personal information was compromised during the attack. Interestingly, the breach has not yet resulted in any confirmed financial losses, or any verified usage of the stolen information for criminal activities. Likewise, no losses associated with the breach have been confirmed by government departments.
The breach was linked to MOVEit, a product of Ipswitch, a Massachusetts-based company. This software facilitates files and data transfers amongst employees, departments, and clients. Ipswitch’s parent company, Progress Software, acknowledged a flaw in its software in late May, citing the potential for unauthorized system and file access. Once alerted by the software company about a critical weakness in its system, Nova Scotia suspended the service temporarily, updated its security, and then reinstated the service, which is considered crucial for the delivery of key government services.
The personal information of certified teachers born in or after 1935 and those of deceased individuals was among the stolen data, the province reported in August. Clop, a group claiming responsibility for the cyberattack, stated that all purloined data from governments, cities, and police services have been erased, although they retained information from private enterprises. The veracity of this statement could not be verified, according to cybersecurity expert Scott Beck.
Initial actions comprised of sending more than 118,000 letters containing TransUnion credit monitoring codes to individuals whose sensitive personal information was stolen in the breach and dispatching just over 47,000 letters, without credit monitoring codes, to Nova Scotians whose compromised information put them at lower risk of identity theft. More than 29,000 residents have opted for credit monitoring since the letters were dispatched. The credit monitoring codes, however, are set to expire on October 31.
