Hamilton loses $5M in insurance claims after a ransomware attack exposed a lack of multi-factor authentication, deemed the breach’s root cause by insurers.
Ransomware Attack Shuts Down City Services
In February 2024, the City of Hamilton fell victim to one of the most significant municipal cyberattacks in Canadian history, with nearly 80 per cent of its systems crippled. The ransomware attack, launched on February 25, disrupted municipal operations for weeks. Cybercriminals demanded a staggering $18.5 million to unlock the city’s data, a sum officials refused to pay.
Insurance Denial Linked to Security Lapses
A recent city staff report revealed that Hamilton’s insurer denied $5 million in claims due to a lack of multi-factor authentication (MFA) across departments. MFA is a common cybersecurity measure requiring users to verify identity using two or more login credentials. Despite awareness of the requirement as early as 2022, the city had not implemented MFA system-wide by the time of the attack.
City Officials Admit Policy Non-Compliance
At a General Issues Committee meeting, officials acknowledged that the absence of MFA was cited as the “root cause” for the breach in the insurance policy. Solicitor Lisa Shields confirmed the city began a limited rollout in 2023 but had not reached full implementation before the attack. Acting CIO Cyrus Tehrani argued the breach could have occurred regardless, but the insurance company remained firm in its decision.
Financial and Operational Impact Grows
To date, Hamilton has spent $18.4 million on recovery efforts and is projected to spend $400,000 monthly through November 2026 to rebuild and secure its digital infrastructure. City Manager Marnie Cluckie emphasized the magnitude of the attack, calling it a defining crisis for the municipality. Police investigations remain active, and no ransom was paid.
Political Fallout and Calls for Accountability
City council members voiced frustration over the lack of accountability. Councillor Brad Clark criticized the absence of consequences for those responsible for the security oversight. “Absolutely none,” he said. Councillor Mike Spadafora echoed concerns, warning against making taxpayers shoulder the cost of leadership failures.
Leadership Shake-Up and Cultural Shift
Since the attack, Hamilton has undergone leadership changes. Janette Smith was replaced by Cluckie as city manager, and other senior staff have departed. Mayor Andrea Horwath said the city is undergoing necessary modernization and structural change. “This city needed to become more modernized. When I got here, I felt this was a city time forgot,” she told reporters.
Resistance to Cybersecurity Measures Highlighted
Cybersecurity firm CYPFER, hired post-attack, noted that resistance to MFA from within the city was a significant barrier. CEO Daniel Tobok described a public-sector mindset of “don’t fix it if it’s not broken.” His team reported initial pushback from staff, only shifting after the breach made the stakes painfully clear. “IT is not there to make their life miserable,” Tobok said. “It’s there to protect city assets.”
Future Preparedness in Focus
The city now pledges stronger digital safeguards and a full commitment to cybersecurity best practices. While recovery is ongoing, officials hope that Hamilton’s hard lesson will serve as a wake-up call for other Canadian municipalities lagging in digital risk mitigation.
For continuous coverage and real-time updates, keep following Maple News Wire.
