Find MFA annoying, too complicated?

Well then, I present to you the case of the City of Hamilton

Not too long ago, on February 25th, 2024, a ransomware attack hit the City of Hamilton, crippling roughly 80 percent of its network. The affected systems and services included business licensing, property-tax processing, and transit-planning systems. Cybercriminals proceeded to demand an $18.5 million ransom that the city refused to pay.   Earlier this year, approximately in April 2025, a new and interesting facet to this story emerged. Hamilton’s insurer denied the city’s insurance claim, citing the absence of fully implemented multi-factor authentication (MFA) at the time of the breach.

This has left taxpayers on the hook for an $18.3 million cleanup and recovery bill.  Let's analyze how the attack occurred and why the lack of MFA has proved to be so costly.

Why was Hamilton’s cyber insurance claim denied?

The Canadian city of Hamilton in Ontario fell victim to a ransomware attack in February 2024. This attack was similar to countless others where initial access was gained via an externally-facing machine with weak credentials, which then led to internal infrastructure being encrypted and a ransom for the decryption binaries being posted.

A quote from Hamilton Mayor Andrea Horwath provided some further details: “I understand why Hamiltonians are frustrated – this was a serious and costly breach. We expect our public systems to be strong, secure, and dependable. This incident highlights that the city fell short of that standard, and we’re not okay with that.” The update also revealed that attackers disabled nearly 80% of the city’s network and demanded a ransom of roughly $18.5 million in exchange for a decryption tool to unscramble the data.

Key takeaways from the Hamilton cyber-attack and insurance fallout

1. Enforce multi-factor authentication (MFA) across all accounts: The City of Hamilton’s insurer denied the cyber insurance claim explicitly because MFA had not been fully implemented at the time of the attack, underscoring that passwords alone are insufficient protection against modern threats.
2. Maintain and regularly test immutable, offline backups: Attackers attempted (but ultimately failed) to destroy Hamilton’s backups. However, several critical systems lacked recoverable backups and were unrecoverable, illustrating that backup integrity and offline isolation are essential to swift recovery.
3. Implement robust network segmentation: The ransomware spread laterally across approximately 80% of Hamilton’s network within days. Proper segmentation can contain breaches to limited zones, preventing attackers from crippling broad sections of infrastructure.
4. Conduct frequent phishing simulations and employee training: Infections originating from a single phishing email went undetected for over a week, demonstrating that human factors remain a primary attack vector. Ongoing awareness programs and realistic simulations can help reduce the risk of initial compromise.
5. Align cyber insurance with security posture: Hamilton’s $18.3 million bill highlights the importance of aligning insurance coverage terms with actual security controls. Organizations must ensure they meet all policy requirements, such as MFA and incident response plans.
6. Develop and exercise incident response plans: Although Hamilton contained the incident within 48 hours and maintained critical services, having a documented, regularly exercised incident response playbook would further reduce downtime and expedite decision-making under pressure.
7. Last but not least, and probably the easiest to complete, review your logs: Had their log monitoring been implemented, the initial attempts at accessing the systems would have been caught via invalid login attempts being documented in the system security logs.

Sadly, cases like this are becoming increasingly common, and it's a simple matter of economics.  The insurance carriers have been inundated with claims and are now verifying, through their consultants and experts, that the client/victim took all reasonable steps in compliance with their policy to prevent the attack.  In some cases, even when they did so, only a partial claim was awarded.

Want to reduce your risk of falling victim to ransomware via credential-based attacks?  Contact us today, so that we can help protect your network and safeguard your assets while reviewing compliance with your cybersecurity policy requirements.