With digital banking a ubiquitous norm for almost all Canadians, we can access our finances at the click of a button. Unfortunately, so can thieves and bad actors — if they have the right information.
On May 15, Diane and Michael Betts found their Manulife line of credit missing $30,000 and a $500 charge on their Mastercard, both of which they were not aware of.
Upon finding the money missing, Diane immediately called Manulife, who informed her that their account was accessed the day before by someone claiming to be her with all the relevant information on hand. They were stupefied.
“We were in absolute shock,” Diane told CTV News, adding, “We’ve never been in debt — and suddenly we owe $30,000. It wasn’t our mistake.”
They had no idea how the money had left their account, until they received a letter from Nova Scotia Power — their utility company — that gave them new information.
Connecting the dots
On May 23, the couple received a letter from Nova Scotia Power indicating their data was stolen in a cybersecurity breach. Recently, the utility provider told CTV that over 280,000 customers were affected by a data breach that occurred on or around March 19, and that they notified the public on April 28.
The Betts were frustrated they didn’t receive notice sooner, as they could have prepared for the attack well in advance. “If we had gotten that letter in early April, we would have taken immediate steps, added alerts, changed our passwords,” Diane said. “Instead, we spent the entire long weekend in May not knowing what had happened.”
Manulife has launched an investigation and their investigator told the Betts their account would be reset this week. But, the couple haven’t seen any changes yet, and aren’t sure if they will be reimbursed at all. The financial attack is a major burden on their finances, as they are both retired, with Michael only working part-time.
In response to the attack, Nova Scotia Power has issued a free, two-year credit monitoring service to all impacted users and is urging them to be careful about any suspicious communication from anyone claiming to be representatives of the utility company.
Furthermore, Manulife launched an investigation and their investigator told the Betts their account would be reset this week. The organization did follow through, refunding the Betts in full as CTV News reported in a follow-up piece. In fact, a representative from Manulife confirmed with Money.ca that the Betts were refunded within 24 hours of their story being published.
What are your first steps after an attack?
Cybersecurity attacks on businesses are in decline, but the numbers are still significant according to a report from Statistics Canada. One out of six businesses (~16%) experienced a cyber security attack in 2023, the organization found.
If a business that contains your personal information has been subject to a cybersecurity attack, what should you do first?
Keep an eye on your emails and other communications:
Nova Scotia Power informed the public about the cyber breach on April 28, well before the Betts’ back account was hit. Keeping an eye on any news or emails from companies you do business with can help you stay informed so you can act quickly.
Take steps to protect your accounts:
As soon as you are aware of a data breach, you should take immediate action to protect your accounts. The Financial Consumer Agency of Canada recommends the following actions:
- Change your passwords
- Review your bank accounts and credit card statements
- Check for unauthorized transactions
- Order/access your credit report for suspicious activity
Take advantage of free credit monitoring:
Typically in business breach scenarios, the affected business offers free credit monitoring services to the affected parties so they can keep tabs on their credit accounts. Using this service can greatly increase the chance you catch an unauthorized transaction before it’s too late.
What if I’ve been hacked?
If you’ve lost money from a cybersecurity attack on a business, the steps you take look a little different.
Experts note that the best chance of someone getting their funds back requires quick action — 24 to 72 hours to be precise. As soon as you notice money missing from your account, let your bank know so they can freeze your accounts and investigate. Also be sure to alert your local police and the Canadian Anti-Fraud Centre.
If you’re out of funds and you haven’t noticed for quite some time, recovering your money can be a bit trickier. Businesses impacted by a personal data breach may have cyber crime insurance that will pay out some of the affected individuals, though it’s uncommon for them to have high policy limits.
So, can you take a business to court if you’re out a lot of money from a cyber breach? Yes, but don’t expect it to be simple. The rule used to determine who is at fault (i.e. liable) for the breach is whoever was in the best position to prevent the fraud, says Cameron Shilling, director, litigation pepartment and chair of cybersecurity and Privacy Group with law firm McLane Middleton. This isn’t easy to show in a court of law, with the blame being a placed on a mix of involved parties, such as the business, you or your bank.
As the Betts’ story highlights, the best course of action when dealing with a potential financial cybercrime is quick action and alerting your bank as soon as possible.
Sources
1. CTV News: N.S. couple loses $30K, believes it’s due to power utility’s cybersecurity breach, by Hafsa Arif (May 27, 2025)
2. CTV News: Nova Scotia Power says it was victim of ‘sophisticated ransomware attack’, by Andrea Jerrett (May 23, 2025)
3. Statistics Canada: Impact of cybercrime on Canadian businesses, 2023 (Oct 21, 2024)
4. Financial Consumer Agency of Canada: Protecting your financial information in the event of a data breach
5. McLane Middleton: Who Is Liable for Lost Money in a Cyber Scam?, by Cameron G. Shilling (Feb 29, 2024)
This article provides information only and should not be construed as advice. It is provided without warranty of any kind.
