The City of Hamilton will be on the hook for the more than $18 million it has cost to recover from a ransomware attack after their insurance claim was denied.
In an update presented to a city committee on Wednesday, staff said that its insurer denied the claim for reimbursement of costs related to the February cyberattack because multi-factor authentication had not been fully implemented for online services when the attack happened.
Staff said Hamilton obtained a third-party to review the coverage denial, but the review found the denial aligned with the policy.
The total cost incurred to recover from the attack so far is $18.3 million, according to a staff report. The city says more than $14 million of that amount has been paid to external experts while more than $1 million each has been put towards infrastructure, staffing, and other related costs.
“I understand why Hamiltonians are frustrated - this was a serious and costly breach,” said Mayor Andrea Horwath in a news release on Wednesday.
“We expect our public systems to be strong, secure, and dependable. This incident highlights that the city fell short of that standard - and we’re not okay with that.”
The attackers disabled nearly 80 per cent of the city’s network and demanded a ransom of roughly $18.5 million in exchange for a decryption tool to unscramble the data, the update revealed.
The ransom was never paid because the city said doing so would have increased “risk and financial exposure.”
“This was in the best interests of Hamiltonians, aligned with guidance from third-party experts and law enforcement, and is consistent with industry best practices,” City Manager Marnie Cluckie said in the release.
“We are rebuilding our IT systems and infrastructure in a financially responsible way, applying what we’ve learned to strengthen cybersecurity and improve service.”
Additionally, the city said no one’s personal or health data was impacted or accessed during the breach.
Most of the affected systems have been successfully recovered or rebuilt, according to the city.
However, they say a limited number of services, including the finance business management application suite, development and permit applications and licensing, fire department records management, public health inspection application, traffic signal systems management, museum collections management solution and the utility locates application, were unrecoverable.
