Many City of Hamilton departments didn’t have multi-factor authentication in place before cyber criminals launched a massive ransomware attack in February 2024, paralysing nearly all municipal services for weeks.
Multi-factor authentication, also sometimes in the form of two-step verification, is a widely used layer of extra security for users logging into a system like their email accounts. They’re required to verify their identity using more than one method, such as entering a code texted to their phone.
It’s been used by corporations and technology companies for years. Google, for example, launched its two-step log-in system in 2011.
While not the only reason the attackers were successful, the city’s lack of multi-factor authentication was a “root cause” of the breach, as determined by the city’s insurance company, said a staff report to the general issues committee Wednesday.
As a result, the insurance company did not cover any of the city’s claims totalling about $5 million.
“This has been a test of our system and a test of our leadership,” said Mayor Andrea Horwath at a news conference Wednesday. “We are not sweeping this under the rug. We are owning it, we’re fixing it and we’re learning from it.”
The lack of multi-factor authentication, and no insurance coverage, was reported publicly for the first time this month.
The staff report said: “According to the policy, no coverage was available under the policy for any losses where the absence of MFA was the root cause of a cyber breach.”
Solicitor Lisa Shields told councillors Wednesday that staff were aware of the multi-factor authentication requirement in their insurance policy in the fall of 2022 and began rolling out a pilot program the following year, but for only a few departments.
In early 2024, the city was preparing to fully implement multi-factor authentication, but then the ransomware attack took place on Feb. 25, said Cyrus Tehrani, acting chief information officer.
He told reporters that — contrary to what the insurance company found — the breach would’ve happened even with multi-factor authentication in place. The city also told CBC Hamilton in an email that it was a “highly sophisticated attack on an external, internet-facing server, gaining unauthorized access to the City of Hamilton systems.”
Attackers demanded $18.5M in ransom
About 80 per cent of city systems were impacted and the attackers demanded the city pay $18.5 million to unlock it — a massive crisis and among the most significant in Canada, city manager Marnie Cluckie told councillors.
Based on advice from outside experts, the city decided not to pay the ransom and instead recover what it could and rebuild everything else. The police investigation is ongoing, Cluckie said.
To date, the city has spent $18.4 million and will continue to pay nearly $400,000 a month until November 2026 to rebuild its systems, said Mike Zegarac, general manager of finance.
While staff vowed systemic changes had been made, councillors were skeptical about whether enough had been done to hold decision-makers responsible.
“I find it very frustrating that there has been zero accountability for this, absolutely none,” said Coun. Brad Clark. “I can’t explain that to my residents.”
Coun. Mike Spadafora had similar concerns.
“We can’t ask residents for tens of millions of dollars whenever we make a mistake and say, ‘Well, there were lessons learned,'” he said.
Some changes to leadership team in recent years
At the news conference, Cluckie said it wasn’t a single person who made a decision on whether or not to implement multi-factor authentication when it became an insurance requirement.
“We’re certainly accountable collectively as a leadership team and are taking steps to address those gaps,” said Cluckie.
Horwath noted the senior leadership team is “a lot different” than in 2022, when the current term of council began.
“Significant changes were made,” Horwath told reporters. “This city needed to change. This city needed to become more modernized. When I got here I felt this was a city time forgot.”
In 2024, Cluckie replaced Janette Smith as city manager, for example. And a number of other senior staff have left the city in recent years.
Tehrani also took on the new role of chief information officer after the ransomware attack.
Staff resistant to multi-factor authentication: consultant
Immediately after the attack, the city hired cybersecurity experts at CYPFER to help it respond. The company’s CEO, Daniel Tobok, told councillors Wednesday that the public sector generally neglects its information technology systems with a “don’t fix it if it’s not broken” mentality.
He said his team’s first question to the city was why multi-factor authentication was only in place in some departments and not others.
“We heard, ‘We have major resistance from people working for the City of Hamilton,'” he said.
But after the ransomware attack and everyone faced the “harsh reality,” he said that’s when staff were on board.
“Something that needs to be brought to city staff’s awareness is that IT is not there to make their life miserable,” said Tobok. “It’s there to protect city assets.”
