The City of Hamilton faced a significant cybersecurity breach in February 2024, as a ransomware attack crippled nearly all municipal services. A major factor identified was the lack of multi-factor authentication (MFA) across many city departments, a security measure that verifies user identity through multiple steps. This absence was cited by the city’s insurer as the root cause for denying insurance claims amounting to $5 million. Despite awareness of the MFA requirement in their insurance policy since 2022, the city had only partially implemented it before the attack. The attackers demanded an $18.5 million ransom, but the city opted to rebuild its systems instead, incurring costs of $18.4 million to date, with ongoing expenses expected until 2026. Leadership changes have occurred since the incident, with a focus on modernizing the city’s approach to IT security. However, councillors expressed frustration over the lack of accountability for the breach. A consultant noted resistance among city staff to adopting MFA, which only changed after facing the consequences of the attack.
Why didn’t insurance cover Hamilton’s $5M cyberattack claims?
