In advance of a significant ransomware assault in February 2024 that left most municipal services paralyzed for weeks, numerous City of Hamilton departments lacked multi-factor authentication protection. Multi-factor authentication, also known as two-step verification, adds an additional layer of security for users accessing systems like email accounts, requiring them to confirm their identity through multiple methods, such as entering a code sent to their phone. While not the sole reason for the attackers’ success, the absence of multi-factor authentication was identified as a primary cause of the breach by the city’s insurance company, resulting in the denial of approximately $5 million in claims coverage.
Following the cyber incident, Mayor Andrea Horwath acknowledged the challenges faced, emphasizing the city’s commitment to addressing and learning from the situation rather than ignoring it. The lack of multi-factor authentication and the subsequent insurance denial were publicly disclosed recently. The insurance policy explicitly stated that no coverage would be provided for losses resulting from the absence of multi-factor authentication as the root cause of a cyber breach.
Efforts to implement multi-factor authentication were underway, with a pilot program initiated for a few departments in 2023, but full implementation was delayed due to the ransomware attack in early 2024. The city’s acting chief information officer, Cyrus Tehrani, contended that the breach would have occurred even with multi-factor authentication in place, citing the attack’s sophistication on an external server. The city opted not to pay the $18.5 million ransom demanded by the attackers, choosing instead to rebuild affected systems, incurring costs of $18.4 million thus far, with ongoing monthly expenses for system reconstruction until November 2026.
Despite implementing systemic changes post-attack, concerns lingered among councillors regarding accountability for the decisions leading to the breach. City Manager Marnie Cluckie emphasized collective responsibility within the leadership team and highlighted significant changes in the team structure since 2022. Cluckie’s appointment in 2024 replaced the former city manager, Janette Smith, and other senior staff turnover has occurred in recent years.
Subsequent to the attack, cybersecurity consultancy firm CYPFER was engaged to assist in the response. The CEO, Daniel Tobok, underscored the prevailing resistance to multi-factor authentication among city staff, noting a shift in attitude post-attack towards prioritizing IT security as essential for safeguarding city assets. Tobok emphasized the importance of staff understanding the role of IT in protection rather than inconvenience.