Insurance won't cover $5M in City of Hamilton claims for cyberattack, citing lack of log-in security

Insurance won't cover $5M in City of Hamilton claims for cyberattack, citing lack of log-in security https://www.cbc.ca/news/canada/hamilton/cybersecurity-breach-1.7597713

08/08/2025 14:14:58

cbc.ca - The insurance company did not cover any of the city’s claims totalling about $5 million. City staff say they've learned from their mistakes and are taking accountability for the cybersecurity breach.

Many City of Hamilton departments didn't have multi-factor authentication in place before cyber criminals launched a massive ransomware attack in February 2024, paralysing nearly all municipal services for weeks.

Multi-factor authentication, also sometimes in the form of two-step verification, is a widely used layer of extra security for users logging into a system like their email accounts. They're required to verify their identity using more than one method, such as entering a code texted to their phone.

It's been used by corporations and technology companies for years. Google, for example, launched its two-step log-in system in 2011.

While not the only reason the attackers were successful, the city's lack of multi-factor authentication was a "root cause" of the breach, as determined by the city's insurance company, said a staff report to the general issues committee Wednesday.

As a result, the insurance company did not cover any of the city's claims totalling about $5 million.

"This has been a test of our system and a test of our leadership," said Mayor Andrea Horwath at a news conference Wednesday. "We are not sweeping this under the rug. We are owning it, we're fixing it and we're learning from it."

The lack of multi-factor authentication, and no insurance coverage, was reported publicly for the first time this month.

The staff report said: "According to the policy, no coverage was available under the policy for any losses where the absence of MFA was the root cause of a cyber breach."
Solicitor Lisa Shields told councillors Wednesday that staff were aware of the multi-factor authentication requirement in their insurance policy in the fall of 2022 and began rolling out a pilot program the following year, but for only a few departments.

In early 2024, the city was preparing to fully implement multi-factor authentication, but then the ransomware attack took place on Feb. 25, said Cyrus Tehrani, acting chief information officer.

He told reporters that — contrary to what the insurance company found — the breach would've happened even with multi-factor authentication in place. The city also told CBC Hamilton in an email that it was a "highly sophisticated attack on an external, internet-facing server, gaining unauthorized access to the City of Hamilton systems."

Attackers demanded $18.5M in ransom
About 80 per cent of city systems were impacted and the attackers demanded the city pay $18.5 million to unlock it — a massive crisis and among the most significant in Canada, city manager Marnie Cluckie told councillors.

Based on advice from outside experts, the city decided not to pay the ransom and instead recover what it could and rebuild everything else. The police investigation is ongoing, Cluckie said.

To date, the city has spent $18.4 million and will continue to pay nearly $400,000 a month until November 2026 to rebuild its systems, said Mike Zegarac, general manager of finance.

Liens par page

Filtres