The City of Hamilton’s 2024 cyberattack was a disaster waiting to happen. And now, it’s the residents the taxpayers who are left holding the $18.3 million bill for a failure that wasn’t theirs to begin with.
The most bitter pill? The city’s insurance claim was denied because multi-factor authentication (MFA), a basic cybersecurity safeguard, wasn’t fully implemented. In an age when even your personal email nags you to enable MFA, how did a city government responsible for critical infrastructure and sensitive data leave such a glaring vulnerability exposed?
According to the insurer, the absence of MFA was the root cause of the breach, and therefore, not covered under the policy. Whether or not that exclusion is fair (and that’s debatable), the fact remains: city staff knew about the requirement. A staff member confirmed that the insurance company flagged the issue as early as 2022. And yet, by the time the attack hit in February 2024, those protections were still not in place.
That is a colossal failure not just of technical oversight, but of leadership and communication.
Councillors, rightfully frustrated, demanded answers. Ward 9 Coun. Brad Clark’s outrage was particularly justified: how did council not know MFA hadn’t been implemented when it was tied directly to insurance coverage? This wasn’t a minor clerical error; this was a multimillion-dollar exposure that residents are now paying for.
There’s no clearer sign of systemic failure than when elected officials are left in the dark about something so critical. Staff knew the city was non-compliant. Why wasn’t that front and center in reports? Why wasn’t action taken immediately?
Ward 2 Coun. Cameron Kroetsch hit the nail on the head: there were warnings, reports, and red flags long before this attack. Yet those signals were ignored or deprioritized. The city’s overall cyber strategy, he said, was “loose” and it shows. No protocols, no training, and seemingly no urgency.
In the end, the city refused to pay the $18.5 million ransom, a decision that deserves cautious praise. Paying cybercriminals often leads to more problems than it solves. But while Hamilton avoided the ethical and practical risks of paying a ransom, it still ended up spending nearly the same amount $18.3 million on response, recovery, and rebuilding. Most of that went to external experts brought in to clean up the mess.
Mayor Andrea Horwath acknowledged the city “fell short” and promised that Hamilton is now rebuilding with “resilience and future-proofing in mind.” That’s reassuring, but it doesn’t erase the preventable mistakes of the past.
What’s missing here is accountability. Council will face voters. Staff will likely not face any direct consequences. How is that fair?
Let’s be honest: if a small business suffered this kind of breach because it didn’t follow its insurance policy, it would be accused of negligence. So why should a city with far more resources and responsibility be treated differently?
This isn’t just a one-off incident. It’s a wake-up call for municipalities everywhere. Cybersecurity is no longer optional. It’s not an IT issue it’s a governance issue, a fiscal issue, and above all, a public trust issue.
Hamilton’s residents deserved better. They trusted their city to protect the digital backbone of public life from fire department records to traffic management systems. That trust was broken, and now they’re paying the price, literally.
The hope is that this very expensive lesson leads to real change not just in Hamilton, but across Canada. Because the next city to fall short may not be so lucky.
