Billing database compromised in QEC cyberattack, says VP
Corporation continues to urge customers to monitor financial accounts out of ‘abundance of caution,’ says VP of operations
Bill Nippard is QEC’s vice-president of operations and engineering. He said that while some database work will have to be done more manually than before, QEC operations are still running.
The cyberattack against Qulliq Energy Corporation last week targeted a number of the corporation’s databases, including payment processing.
Bill Nippard, QEC vice-president of operations and engineering, provided some new information about the attack and subsequent investigation to Nunatsiaq News Monday.
The energy corporation, which supplies power to Nunavut’s 25 communities, announced Jan. 19 that it was the target of a cyberattack earlier that week.
Investigators still have not determined whether QEC customers’ financial information has been compromised and the corporation is still urging customers to monitor their financial accounts for unusual activity and consider changing their passwords.
“This all out of an abundance of caution,” said Nippard.
Power plants in the territory continue to run as normal.
What was attacked was the information technology side of QEC, said Nippard, such as databases for timesheets, payment processing and emails.
An employee discovered the problem when they tried to send documents to a vendor. When the emails didn’t send, the system seemed to be acting strangely.
That employee called the information technology help desk, who began to look into the issue.
“And that’s when they shut everything down,” Nippard said.

Last week Qulliq Energy Corporation was the victim of a cyberattack. Operations continue as normal and an investigation into the attack is ongoing. (Photo by David Lochead)
QEC is continuing its normal business, but the compromised systems are being managed manually for now.
“It’s inconvenient, obviously,” Nippard said.
In a news release last week, QEC said it has brought in cybersecurity experts and the Government of Nunavut’s information technology teams to determine the scope of the attack.
A full report on the attack will be provided to the QEC once the investigation is finished, Nippard said.
He told Nunatsiaq News he is not sure how long the investigation will take and he wouldn’t add any more detail, citing security concerns.
Other government bodies involved in investigating the QEC’s cyberattack include the Government of Nunavut, federal government and the RCMP.
When asked why he thinks QEC was targeted, Nippard said cyberattacks have become a worldwide phenomenon.
“We’re just the latest in a long line of companies that have been attacked by cyber criminals,” he said.
you Call CGS IT/IM, the guys who failed to stop the GN ransomware running dated and poorly designed systems? Their expertise resulted in a call to Microsoft and to this day we have never been given the dollar figure paid. Not one single person was fired due to the fiasco! Good luck QEC lol. Maybe I can pay my bill without having to call in a card to the lady in Baker Lake after this.
Failure of leadership. President down to the manager should be let go. Every Crown Corp in Nunavut got a free lesson with the GN attack, response and clean up. If they didn’t do the necessary to bring their systems in line with modern ITSEC and Business continuity programs they failed the organization and their customers. There is little chance this was a “targeted” attack, someone clicked something they shouldn’t have or opened a compromised attachment.
It’s so unfortunate how many cyberattacks are occurring around the world and impacting daily life these days. Good job to QEC for keeping power operations going as January would be a freezing month to have the grids shutdown.
My power goes out so often I don’t even bother resetting my appliances anymore.
I’m worried that even if we talk about it too much the system will overload and the power will go out yet again.
Proactive measures to increase confidence and security are for southerners.
Here we wait until there’s a blatant mistake to pretend to learn from.
What would changing my banking password do? You don’t need my password to use the credit card number QEC has on file for billing.
What about former employees? QEC has their SIN, DOB, full banking details, and even medical information since they run their own medical travel program separate from the GN. Are people being contacted and informed of the risk of identity theft and what to be aware of?
Ha, they should be worried about being sued for clients whos protected b information was stolen. its not the clients fault that Nunavut Business’s and Government dont keep up with times and upgrade their networks and be proactive in protecting client information.
People should be fired ..
if anyone loses money cause they cant maintain their security (this means major upgrades too ) then people should ban together and class action these dummies for operating carelessly and putting thousands peoples personal info at jeopardy.
id sue, fo sho