How One Missing Control Cost Hamilton $18.3 Million
- Adam Sewall
- Aug 5
- 1 min read
On February 25, 2024, the City of Hamilton, Ontario experienced a cyberattack that disabled roughly 80 percent of its network and disrupted critical services including business license processing, property tax, transit planning, and finance and procurement systems for weeks.
According to the city, the attackers launched a complex ransomware attack through an external internet-facing server. After covertly studying the city’s systems, they encrypted systems and data to render them unusable and attempted, but failed, to destroy all the city’s backups.
To date, the city has spent $18.3 million on immediate response, system recovery, and third-party expert support. There may be more charges beyond this according to published reports. Of the $18.3 million, $14 million has been spent on external experts who have helped the city’s response, redesign and future strategies, staff added.
As reported by Global News:
“Councillors were told at the general issues committee meeting on Wednesday that the city’s claim was denied because multi-factor authentication had not been fully implemented at the time of the attack.”
Bottom Line
Cyber insurance can be denied if yourrepresentations on defense are not accurate. Whether you are a business or a municipality, visibility towards your defense is critical.
A full assessment, pen test and active managed cyber defense would have apparently mitigated much of this attack and revealed deficiencies in their cyber defense including the lack of MFA.
Contact Cyberleaf for guidance on assessments, penetration testing, and managed cyber defense.
Comments