Nova Scotia says all victims of MOVEit breach have been notified

One of the first North American organizations to suffer a data breach because of a vulnerability in the MOVEit file-transfer software says it has notified more than 165,000 people that their personal information was stolen.

The government of Nova Scotia said on Thursday that it has finished sending letters to all victims of the incident in late May and is spending CA$2.85 million Canadian ($2.16 million) for credit monitoring services.

“Now, we can turn our focus to setting out the lessons we’ve learned and ensuring departments are doing what they need to do to keep Nova Scotians’ personal information safe,” said Colton LeBlanc, the province’s cybersecurity minister, in a news release.

The timeline of the Nova Scotia response underscores how time-consuming it can be for a government to analyze stolen data and officially notify victims. The province initially warned residents on June 4 about the breach, one of many this year that have affected millions of people collectively.

The provincial government said 118,000 people had “sensitive personal information, such as social insurance numbers or banking information,” stolen in the incident. Another 47,000 letters also went to people who had “less sensitive” information stolen. So far about 29,000 people have signed up for the free credit monitoring.

In the incident, hackers found a way to exploit a bug in MOVEit, a file-transfer tool from U.S.-based Progress Software that is used all over the world. The Clop ransomware gang, in particular, has taken credit for dozens of attacks. In the U.S., federal and state government agencies were also among the targets.