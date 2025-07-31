Swift and effective response to a sophisticated attack

Cybercriminals often attack government organizations because they hold large amounts of sensitive information, making them high-value targets.1 Cybercriminals tend to view these attacks as an opportunity to maximize financial gain.2

Importantly, the City contained the cybersecurity incident within two days, provided critical services throughout the incident, and recovered the majority of systems directly from available backups. In addition, third-party experts found no evidence that personal information or personal health information was stolen by the cybercriminals.

The cybercriminals launched a complex ransomware attack through an external internet-facing server. After covertly studying the City’s systems, they encrypted systems and data to render them unusable and attempted – but failed – to destroy all the City’s backups.

Recovery efforts consistent with industry best practices

The cybercriminals demanded a ransom of approximately $18.5 million CAD3 in exchange for a decryption tool to unscramble the City’s data. The City did not pay the ransom.

“The City did not pay the ransom – this was in the best interests of Hamiltonians, aligned with guidance from third-party experts and law enforcement, and is consistent with industry best practices,” said Marnie Cluckie, City Manager. “We are rebuilding our IT systems and infrastructure in a financially responsible way, applying what we’ve learned to strengthen cybersecurity and improve service. I am sincerely grateful to our staff for their tireless commitment, and to the Mayor and Council for their ongoing support as we overcome one of the most significant challenges the City has faced.”

Paying the ransom would have increased the City’s risk and financial exposure. CYPFER advised that decryption tools from cybercriminals are very often unreliable. Even with a working tool, safe restoration would have taken significant time and money. Additionally, paying ransom funds could fuel future cybercrime and support international organized crime and terrorist organizations.

Insurance claim and coverage update

Following a forensic review, the City filed a claim with its cyber insurance provider. The City’s insurer denied the claim based on coverage terms. The City obtained a third-party legal review of the coverage denial. This review confirmed the denial aligned with the policy, and the City did not pursue further legal action. Since then, the City has enhanced its cyber controls and successfully renewed its cybersecurity insurance coverage.

Future-ready, more resilient and efficient City

From the start of the incident through to June 30, 2025, the City spent $18.3 million CAD on immediate response, system recovery and third-party expert support (Report CM24005(b)).

As the City restores its systems, it has a unique opportunity to build stronger and better. To support this, the City has conducted a detailed analysis to determine the full financial and operational impact of the cybersecurity incident. These insights have helped the City prioritize projects and funding to create a more resilient, efficient and future-ready City.

The City developed a “Build Back Better” plan, including a three-year funding strategy, which Council approved in February 2025. The financial impacts for this year are incorporated into the City’s 2025 Tax Budget. Wherever possible, the City is leveraging previously approved funding for technology and security-related projects, considering appropriate reserves and reprioritizing capital projects. Funding for 2026 and 2027 will be further evaluated during future budget processes.

