Our Commitments: Office of the Privacy Commissioner of Canada investigation

Today, the Office of the Privacy Commissioner of Canada (OPC) announced that it will discontinue its investigation into the cyberattack pending the completion of mutually agreed-upon commitments. 

We have been working collaboratively with the OPC throughout its investigation and value its thorough review as part of the recovery, remediation, and restoration efforts following the criminal cyberattack.

What happened 

The cyberattack was committed by a sophisticated foreign threat actor that stole customer personal information and internal data. They also destroyed or locked down some key business systems. On March 19, 2025, an employee unknowingly visited a website that had been compromised by malware (malicious software). After clicking a link, the malware was downloaded onto our systems, allowing a sophisticated foreign threat actor to gain unauthorized access to our network. The threat actor was able to take data from our files, including personal information belonging to both current and former customers. The attack was discovered on April 25, 2025. 

While the cyberattack did not affect our ability to generate or deliver energy, it did severely disrupt several internal systems, including our customers’ billing experiences. Meters continued to function accurately, but the malware prevented us from receiving data about energy usage. Most meters have now been reconnected to our digital billing system, and the plan is on track to reconnect the remaining meters by March 31, 2026. As of the end of February, less than 10% of customers were still getting an estimated bill.

As outlined in the compliance letter released by the OPC on March 25, approximately 375,000 current and 540,000 former customers were affected. The compromised personal information varied by individual and may have included names, phone numbers, email addresses, dates of birth, customer history, driver’s license numbers, and social insurance numbers (SINs). Throughout the year, we notified affected individuals and offered support, including five years of credit-monitoring and identity protection services, which include up to $1 million in identity theft insurance, to all current and former customers, whether they were determined to be affected or not.

Our commitments

As an outcome of the OPC’s investigation, we have made commitments which focus on continuing to address the risks that stemmed from the attack and preventing future breaches. Specifically:

1. Independent security assessment: While we have made significant progress in strengthening our systems and our cyber defenses, this work continues. We are committing to an information security assessment by an independent third-party security firm approved by the OPC. The findings will be shared confidentially with the OPC by October 31, 2026.
2. Deleting SINs: We promised customers we would delete their Social Insurance Numbers from our systems, and we are keeping that promise. The only exception would be for legal requirements, such as tax purposes, like issuing T5s to certain customers—we no longer require SINs for identity verification. We will provide the OPC with confirmation that customer SINs have been removed by March 31, 2026.

We’ve learned a great deal since last year’s cyberattack. We remain focused on meeting the commitments stemming from the OPC investigation and will continue taking steps to reduce the risk and impact of future incidents. Our work to earn back your trust also continues with the same focus as the work to rebuild our systems.

To learn more about the cyberattack and what we’re doing moving forward, please visit here >