A man holds a laptop computer as cyber code is projected on him in this illustration picture taken on May 13, 2017. (Kacper Pempel/Reuters)
The City of Hamilton has spent $18.3 million responding to a cybersecurity attack that took place last year, which the city is now facing in full after its insurance provider has denied its claim.
The city filed a cyber insurance claim. However, its insurance provider denied the claim citing policy exclusions, as multi-factor authentication had not been fully implemented by the city at the time of the incident, the city’s Cybersecurity Incident Summary report says. The policy did not provide coverage for any losses as a result of not having multi-factor authentication in place.
“I understand why Hamiltonians are frustrated – this was a serious and costly breach,” Hamilton Mayor Andrea Horwath said in a July 30 statement. “We expect our public systems to be strong, secure, and dependable. This incident highlights that the city fell short of that standard – and we’re not okay with that.”
The cybersecurity incident took place on Feb. 25, 2024, in which cybercriminals gained access to and disabled approximately 80 percent of the city’s IT systems. A variety of city services were impacted by the incident, such as business license processing, fire department, public library, property taxes, and transit scheduling systems.
While the city says it has recovered or rebuilt most of its compromised systems, it’s still working to replace a number of systems that were “unrecoverable.”
“The cybercriminals launched a complex ransomware attack through an external internet-facing server,” the city of Hamilton said in a July 30 news release.
“After covertly studying the City’s systems, they encrypted systems and data to render them unusable and attempted – but failed – to destroy all the City’s backups.”
The cybercriminals demanded a ransom of approximately $18.5 million in exchange for a decryption tool that would unscramble the city’s compromised data, the release says. However, the city did not pay the ransom.
City Manager Marnie Cluckie said it was in Hamilton residents’ “best interests” that the city did not pay the ransom. She said third-party experts and law enforcement guided the city to make its decision.
“Paying the ransom would have increased the City’s risk and financial exposure,” the release says. The city noted that its technical adviser said decryption tools from cybercriminals are “very often unreliable,” and that paying ransom funds could fuel future cyber crime.
The city says it contained the attack within two days. Its technical adviser says personal information and personal health information was not compromised in the incident.
Response
The City of Hamilton’s Cybersecurity Incident Costing Update report indicates the incident has cost the city approximately $18.3 million so far, for external experts, infrastructure, staffing, and other related costs.
The report divides the costs into “response, recovery, restore and rebuild/transform” phases. In an effort to protect the city’s systems during the initial “response” phase, expenses included purchasing additional storage server capacity and equipment, such as printers and cell phones, in order to continue service through the incident.
Expenses in the “recovery” and “restore” phases, which the city says it is now in, include system testing, restoration, and recovery costs. Meanwhile, the “rebuild/transform” phase will include costs to rebuild applications and data. The report indicates that future expenses are expected in these phases as the recovery is still ongoing.
“Wherever possible, the City is leveraging previously approved funding for technology and security-related projects, considering appropriate reserves and reprioritizing capital projects,” the city said in its July 30 release. “Funding for 2026 and 2027 will be further evaluated during future budget processes.”
In response to the incident and the lack of existing security controls that led to the denial of its insurance claim, the city says it has implemented “enhanced cyber controls” and has renewed its cybersecurity insurance coverage with its provider.
“We are rebuilding our IT systems and infrastructure in a financially responsible way, applying what we’ve learned to strengthen cybersecurity and improve service,” City Manager Cluckie said in a July 30 statement.
Through its “Build Back Better approach,” the city says it has enhanced public services, customer experience, public safety, and emergency services; modernized financial and operational systems; made improvements to transit scheduling systems; and improved its “cybersecurity posture.”
“As the City restores its systems, it has a unique opportunity to build stronger and better,” the release says.