Skip to Content

Privacy commissioner calls on N.S. to increase security after MOVEit breach

Port Hawkesbury, NS, Canada / 101.5 The Hawk
Caitlin Snow
Feb 19, 2025 | 1:27 PM
Privacy commissioner calls on N.S. to increase security after MOVEit breach

Image: CyberNB



Nova Scotia’s privacy commission is calling on the province to beef up its security after an investigation into a massive cybersecurity breach.

It was May 2023 when the file transfer system called MOVEit was victim to a global cybersecurity attack.

It affected over 165,000 with more than 118,000 who had personal information stolen such as social insurance numbers and banking information.

The Office of the Privacy Commissioner (OPIC) then launched an investigation after 110 complaints.

According to a release from the office, Privacy Commissioner Tricia Ralph says government did not comply with its legal obligations to have certain practices in place before MOVEit was even launched.

Tricia Ralph says this includes basic things like assessing privacy risks and implementing retention and disposition schedules, which is a list of how long to keep records and what to do with them when no longer needed.

“[Commissioner Ralph] calls on the Nova Scotia government to strengthen its security safeguards in order to protect Nova Scotians’ personal information from the increasing threat of cyberattacks.”

In addition to that, according to Ralph, although the province contained the breach quick enough including notifying those affected, the response still could have been better.

Ralph is referring to the letters sent out to those affected, which according to her, did not provide enough information and many had contact information that was outdated.

She recommends getting input from the privacy commissioner’s office next time.

Ralph has eight recommendations:

  • A privacy impact assessment (PIA) from the provincial government.
  • Details of the PIA be made public within 60 days of the report
  • Clear retention and disposition schedules
  • Consult with OPIC before sending letters to those affected
  • Make sure information contact information is up to date
  • Post a post incident response plan within 90 days of the report
  • Complete the tasks from the response plan

The Nova Scotia government has 30 days to decide whether it will follow the recommendations.