Hamilton taxpayers are looking at fronting the full cost of a devastating 2024 cyberattack after the city’s insurance company denied its claim.
Councillors were told at the general issues committee meeting on Wednesday that the city’s claim was denied because multi-factor authentication had not been fully implemented at the time of the attack.
According to the city’s insurance policy, no coverage was available for any losses where the absence of multi-factor authentication was the root cause of the cyber breach.
“I understand why Hamiltonians are frustrated — this was a serious and costly breach,” Mayor Andrea Horwath said in a news release Wednesday.
“We expect our public systems to be strong, secure, and dependable. This incident highlights that the city fell short of that standard — and we’re not okay with that.”
Attackers demanded $18.5M in ransom
On Feb. 25, 2024, Hamilton experienced a cyberattack that disabled roughly 80 per cent of its network and impacted services like business licence processing, property tax, transit planning and finance and procurement systems for weeks.
A few systems were unrecoverable, the city said, including permit applications and licensing, fire department records management and traffic signal system management.
The attackers launched a complex ransomware attack through an external internet-facing server, the city said. After covertly studying the city’s systems, they encrypted systems and data to render them unusable and attempted — but failed — to destroy all the city’s backups.
The attackers demanded a ransom of roughly $18.5 million in exchange for a decryption tool to unscramble the city’s data. The city did not pay the ransom, adding it contained the incident within two days and managed to provide critical services throughout.
Get daily National news
Get the day’s top news, political, economic, and current affairs headlines, delivered to your inbox once a day.
“Paying the ransom would have increased the City’s risk and financial exposure,” the city said in the news release, saying technical advisers added decryption tools from cybercriminals are very often unreliable.
“Even with a working tool, safe restoration would have taken significant time and money. Additionally, paying ransom funds could fuel future cybercrime and support international organized crime and terrorist organizations.”
City has spent $18.3M in upgrades so far
Mike Zegarac, general manager of finance and corporate services, told councillors on Wednesday the city would have to incur costs regardless of whether it had paid the ransom.
To date, the city has spent $18.3 million on immediate response, system recovery and third-party expert support. There may be additional invoices still to be received for some items that will be included in future reports, staff noted.
Of the $18.3 million, $14 million has been spent on external experts who have helped the city’s response, redesign and future strategies, staff added.
At the general issues committee meeting Wednesday, Ward 2 Coun. Cameron Kroetsch took issue with the “looseness” of Hamilton’s cyber strategy.
“There weren’t protocols in place for many parts of the city, including how we connected to devices … and there was virtually no training provided whatsoever to councillors with respect to what to do here,” he said.
“This didn’t happen due to councillors’ negligence of any kind, or councils for that matter. But there have been several reports I’ve monitored outside of being an elected official where I saw recommendations being made to address this, and the investments not being made to pick up with those for whatever reason … we knew we had these problems with place … this has to be taken more seriously.”
Ward 9 Coun. Brad Clark said he found it “very frustrating” that multi-factor authentication wasn’t put in place years ago after learning from a staff member at the meeting that Hamilton’s insurance company sought it in late 2022.
When its claim was denied, the city obtained a third-party review of the decision and did not pursue further legal action as it learned the insurer’s action was based on coverage terms.
“The city had full knowledge we were not compliant with the exclusion in 2023,” he said.
“How does council find out it wasn’t done if staff doesn’t share it with us? I find it immensely frustrating there has been zero accountability on this; this chamber, we’ll be held accountable in a year and a bit; front bench and all the staff, no accountability for this incident. I can’t explain that to my residents.”
The city has since said it has enhanced its cyber controls and renewed its insurance coverage.
In her statement, Horwath said Hamilton will learn from the incident.
“We acted swiftly, and we’re moving forward with focus and determination. This is also a clear and indisputable reminder that timely investments in public infrastructure help prevent far more costly reactive responses down the line,” she said.
“The City of Hamilton is rebuilding with resilience and future-proofing in mind, while strengthening our systems, improving protections, and ensuring better service and safeguards for our entire community.”
© 2025 Global News, a division of Corus Entertainment Inc.
