Cybercriminals demanded $18.5 million in ransom, but officials say they refused to pay
NEWS RELEASE
CITY OF HAMILTON
*************************
The City of Hamilton provided an update on the February 25, 2024, cybersecurity incident, including new details on how the sophisticated cybercriminals gained access to city systems and the ransom demand of approximately $18.5 million (CAD).
This information was presented at the July 30, 2025, General Issues Committee Meeting through four reports:
- Building Better: Post-Cyber Project Portfolio Update (CM25007)
- Cybersecurity Incident Summary (CM25008); including Appendix ‘A’ – Post Cyber Incident Summary by technical advisor CYPFER Canada Inc (CYPFER)
- Cybersecurity Costing Update (CM24005(b))
- Cybersecurity Resiliency Enhancements (CM25009)
“I understand why Hamiltonians are frustrated – this was a serious and costly breach,” said Mayor Andrea Horwath. “We expect our public systems to be strong, secure, and dependable. This incident highlights that the city fell short of that standard – and we’re not okay with that. But we acted swiftly, and we’re moving forward with focus and determination. This is also a clear and indisputable reminder that timely investments in public infrastructure help prevent far more costly reactive responses down the line. The City of Hamilton is rebuilding with resilience and future-proofing in mind, while strengthening our systems, improving protections, and ensuring better service and safeguards for our entire community.”
Cybercriminals often attack government organizations because they hold large amounts of sensitive information, making them high-value targets. Cybercriminals tend to view these attacks as an opportunity to maximize financial gain.
Importantly, the city contained the cybersecurity incident within two days, provided critical services throughout the incident, and recovered the majority of systems directly from available backups. In addition, third-party experts found no evidence that personal information or personal health information was stolen by the cybercriminals.
The cybercriminals launched a complex ransomware attack through an external internet-facing server. After covertly studying the city’s systems, they encrypted systems and data to render them unusable and attempted – but failed – to destroy all the city’s backups.
The cybercriminals demanded a ransom of approximately $18.5 million CAD in exchange for a decryption tool to unscramble the city’s data. The city did not pay the ransom.
“The city did not pay the ransom – this was in the best interests of Hamiltonians, aligned with guidance from third-party experts and law enforcement, and is consistent with industry best practices,” said City Manager Marnie Cluckie. “We are rebuilding our IT systems and infrastructure in a financially responsible way, applying what we’ve learned to strengthen cybersecurity and improve service. I am sincerely grateful to our staff for their tireless commitment, and to the mayor and council for their ongoing support as we overcome one of the most significant challenges the city has faced.”
Paying the ransom would have increased the city’s risk and financial exposure. CYPFER advised that decryption tools from cybercriminals are very often unreliable. Even with a working tool, safe restoration would have taken significant time and money. Additionally, paying ransom funds could fuel future cybercrime and support international organized crime and terrorist organizations.
Following a forensic review, the City filed a claim with its insurance provider. The city’s insurer denied the claim based on coverage terms. The city obtained a third-party legal review of the coverage denial. This review confirmed the denial aligned with the policy, and the city did not pursue further legal action. Since then, the city has enhanced its cyber controls and successfully renewed its cybersecurity insurance coverage.
From the start of the incident through to June 30, 2025, the city spent $18.3 million CAD on immediate response, system recovery and third-party expert support (Report CM24005(b)).
As the city restores its systems, it has a unique opportunity to build stronger and better. To support this, the City has conducted a detailed analysis to determine the full financial and operational impact of the cybersecurity incident. These insights have helped the City prioritize projects and funding to create a more resilient, efficient and future-ready city.
The city developed a “Build Back Better” plan, including a three-year funding strategy, which council approved in February 2025. The financial impacts for this year are incorporated into the city’s 2025 tax budget. Wherever possible, the city is leveraging previously approved funding for technology and security-related projects, considering appropriate reserves and reprioritizing capital projects. Funding for 2026 and 2027 will be further evaluated during future budget processes.
*************************
