Nine months after a ransomware attack, Nova Scotia Power still can’t accurately bill a quarter of its customers. Here’s how this compares to similar incidents—and what went wrong.

On March 19, 2025, hackers breached Nova Scotia Power’s network. They weren’t discovered for 37 days. Now, more than nine months later, the utility is still struggling to restore full operations—a recovery timeline that dwarfs comparable incidents in the energy sector.

By the numbers:

  • 375,000 – Customers affected
  • 270+ – Days to recovery (and counting)
  • 37 – Days the attackers went undetected
  • 25% – Customers still receiving estimated bills

What Happened

Nova Scotia Power, the primary electricity provider for 550,000 customers in the province, was hit by what CEO Peter Gregg later called “an unprecedented, sophisticated, and targeted attack.” Based on expert assessments, there’s high confidence the attack was carried out by a Russia-based threat actor group.

The attackers gained access on March 19, 2025, but the breach wasn’t detected until April 25—giving them over five weeks to move through the network and exfiltrate data. During this time, they stole sensitive customer information including:

  • Names, addresses, and phone numbers
  • Social Insurance Numbers
  • Driver’s license numbers
  • Bank account details
  • Billing and payment history
  • Power consumption data

Key Point: The initial notification said 277,000 customers were affected. By October, NSP identified an additional 97,000 victims, bringing the total to approximately 375,000—more than half of all customers.

The Timeline

March 19, 2025: Attackers gain unauthorized access; data exfiltration begins

April 25, 2025: Breach detected; incident response activated; billing suspended

April 28, 2025: Public announcement of cybersecurity incident

June 2025: Billing resumes—but with estimated usage only; $1.8M security upgrade approved

July 2025: Customer notifications mailed; manual meter reading begins with 100 new workers

November 2025: CEO testifies before legislature; confirms Russia-based actor attribution

December 2025: Premier requests investigation; energy board launches billing inquiry; 25% still on estimated bills

March 2026 (projected): Full meter connectivity expected to be restored

That’s a projected recovery time of approximately 12 months from breach detection to full restoration.

How Does This Compare?

Industry data paints a stark picture of just how long NSP’s recovery is taking:

MetricIndustry AverageNSP Actual
Average ransomware recovery21-24 days270+ days
Billing system restoration1-3 weeks~6 weeks (partial)
Full system restoration1-3 months~12 months (projected)

Even within the energy sector, where recovery times tend to be longer (more than half of victims take over a month), NSP’s timeline is exceptional.

Colonial Pipeline (May 2021)

The most famous recent comparison is Colonial Pipeline, which supplies 45% of the East Coast’s fuel. Their attack, also by a Russia-linked group (DarkSide), caused gas shortages across 17 states and prompted a presidential emergency declaration.

Colonial Pipeline Recovery: 6 days from shutdown to full operations. The company paid a $4.4 million ransom (later partially recovered by the DOJ) and used the decryption key to accelerate restoration.

Delta-Montrose Electric Association (November 2021)

This Colorado utility cooperative was hit by a ransomware attack that wiped out payment processing, billing, and internal systems. They suffered significant data loss—reportedly 25 years of company data was affected.

Recovery time: Approximately one month for billing systems, though security experts noted the extended timeline highlighted gaps in their backup systems.

Qulliq Energy Corporation (January 2023)

This Nunavut power utility experienced a network breach that crippled administrative offices. However, power generation and distribution remained unaffected, and administrative systems were restored within weeks.

Why Is NSP Taking So Long?

Several factors explain the extended timeline:

  1. No Ransom Paid: Unlike Colonial Pipeline, NSP couldn’t pay even if they wanted to. CEO Peter Gregg explained: “It would have been illegal for us to pay a ransom in this situation because the attacker…is on the U.S. sanctions list.” Without a decryption key, everything had to be rebuilt from scratch.
  2. Legacy Infrastructure: According to filings with the energy board, NSP acknowledged that “a majority of its network equipment was considered ‘end of life’ in 2016.” That’s nearly a decade of technical debt that complicated recovery efforts.
  3. Smart Meter Complexity: NSP has over 530,000 smart meters that need to communicate with billing systems. Restoring this connectivity requires individual verification and testing. As of November, only 75% had been manually read.
  4. 37-Day Dwell Time: The attackers had over five weeks of undetected access. This extended dwell time allowed deep penetration and extensive data theft, making it harder to determine the full scope of compromise.

The Customer Impact

The technical challenges have translated into real problems for customers:

  • Billing chaos: Some customers received bills double or triple their normal amount based on estimated usage. The utility lost its ability to “talk to the meters,” forcing staff to estimate consumption.
  • Identity theft risk: With SINs, banking details, and driver’s licenses exposed, 375,000 customers face ongoing fraud risk. NSP is now offering five years of free credit monitoring.
  • Political fallout: Premier Tim Houston has requested an official investigation, saying “Customers should not be paying for NSP’s failures.” A class-action lawsuit has been filed.
  • Contractor payments: Suppliers and contractors are owed hundreds of thousands of dollars due to payment system disruptions.

“I want to acknowledge and apologize for the concern and disruption this has caused. My promise to you is that if we have overestimated your bill, we will fix it. If you have overpaid, we will fix it. And if we make a mistake, we will fix it.” — Peter Gregg, CEO, Nova Scotia Power (November 2025)

What NSP Got Right

It’s worth noting what didn’t go wrong:

  • The grid stayed up: There was no disruption to power generation, transmission, or distribution. Customers never lost electricity because of the attack.
  • No ransom paid: While this extended recovery, it avoided funding criminal enterprises and potentially prevented future attacks.
  • Transparent (eventually): The company has held community sessions and the CEO has testified publicly about the incident.

Lessons for Other Utilities

  1. Invest before the breach: End-of-life equipment in 2016 that’s still running in 2025 is a recipe for disaster. Modernization can’t wait until after an attack.
  2. Detection matters: 37 days of dwell time is far too long. Enhanced monitoring and threat detection could have limited the damage.
  3. Test your backups: If you can’t pay ransom (either due to sanctions or policy), your backup and recovery strategy is everything. Make sure it actually works.
  4. Minimize data collection: NSP has stopped collecting Social Insurance Numbers going forward and plans to purge existing ones by March 2026. This should have been policy before the breach.
  5. Plan for billing disruption: Smart meter dependencies create single points of failure. Manual reading processes should be documented and staff should be trained before they’re needed.

The Bottom Line

Nova Scotia Power’s recovery timeline is among the longest for any comparable North American utility cyber incident. While protecting the physical grid and refusing to pay ransom were the right calls, the extended IT recovery reflects years of underinvestment in infrastructure and cybersecurity preparedness.

For IT directors and executives at other utilities: this is what happens when “end of life” equipment stays in service for nearly a decade and detection capabilities can’t spot intruders for over a month. The time to invest is before the breach—not after.

Current Status

As of late December 2025:

  • 75% of meters have been manually read
  • 25% of customers remain on estimated bills
  • Full meter connectivity expected by March 2026
  • Energy board investigation ongoing
  • Class-action lawsuit pending
  • NSP has committed to removing all SINs from systems by March 31, 2026

The Nova Scotia Energy Board is conducting its own investigation into whether NSP “acted prudently before, during and after the event.” That assessment may take months more to complete.

Sources: Nova Scotia Power official statements, CBC News, Global News, The Record, BleepingComputer, Statista, Utility Dive, CISA, and industry cybersecurity research.

Last updated: December 2025.

Categories: Security