MFA failure costs Hamilton $18m in cyber insurance payout

On February 25th, 2024, a sophisticated ransomware attack struck the City of Hamilton, crippling roughly 80 percent of its network. This included business licensing, property-tax processing, and transit-planning systems. Cybercriminals proceeded to demand an $18.5 million ransom that the city refused to pay. In April 2025, a new and interesting facet to this story emerged. Hamilton’s insurer denied the city’s insurance claim, citing the absence of fully implemented multi-factor authentication (MFA) at the time of the breach.

This has left taxpayers on the hook for an $18.3 million cleanup and recovery bill. We’ll take a look at how the attack played and why the lack of MFA has proved to be so costly.

Why was Hamilton’s cyber insurance claim denied?

Specops Cybersecurity Specialists, David Ketler, explains how the story played out: “The Canadian city of Hamilton, Ontario fell victim to a ransomware attack in February 2024. This attack was similar to countless others where initial access was gained via an externally-facing machine with weak credentials, which then lead to internal infrastructure being encrypted and a ransom for the decryption binaries being posted.

“What is unusual about this attack is the denial of the cybersecurity insurance claim. What has been reported by the city is that they declined to pay the ransom (as is best practice) and attempted to recover the costs related to recovering from the attack. But said claim was denied due to not having implemented MFA. This implies the initial access was related to weak credentials, with no MFA configured, which then lead to encryption of internal systems and a ransom being demanded.”

Secure your Active Directory access with MFA for Windows logon, VPN & RDP

A quote from Hamilton Mayor Andrea Horwath provided some further details: “I understand why Hamiltonians are frustrated – this was a serious and costly breach. We expect our public systems to be strong, secure, and dependable. This incident highlights that the city fell short of that standard, and we’re not okay with that.” The update also revealed that attackers disabled nearly 80% of the city’s network and demanded a ransom of roughly $18.5 million in exchange for a decryption tool to unscramble the data.

Specops analysis: What can we learn about MFA and insurance?

David offers the following advice for organizations: “This incident isn’t unusual in the tools or escalation chain that led to the encryption of internal systems, but what is unusual is the refusal of insurance coverage due to MFA not being implemented. This goes to show that the cost of not implementing MFA is not just a nebulous security risk, but also a real financial one. There’s now precedent where an insurance claim has been denied due to poor authentication controls.

“Not only should an organization implement MFA to the best of their ability to protect any internal systems and confidential information; but doing so is a requirement of cybersecurity insurance policies that will lead to claims being denied.

“A solution such as Specops Secure Access combined with Specops Password Policy provides full-stack protection not only against attackers attempting to leverage password re-use or weak credentials, but also satisfies cybersecurity insurance policy requirements. A well-configured MFA solution, combined with a breached password corpus can reduce not only the risk to an organization, but also the financial risk of recovery, and the denial of a claim.”

Enforce compliance requirements and block compromised passwords in Active Directory

Key takeaways from the Hamilton cyber-attack and insurance fallout

1. Enforce multi-factor authentication (MFA) across all accounts: The City of Hamilton’s insurer denied the cyber insurance claim explicitly because MFA had not been fully implemented at the time of the attack, underscoring that passwords alone are insufficient protection against modern threats.
2. Maintain and regularly test immutable, offline backups: Attackers attempted (but ultimately failed) to destroy Hamilton’s backups. However, several critical systems lacked recoverable backups and were unrecoverable, illustrating that backup integrity and offline isolation are essential to swift recovery.
3. Implement robust network segmentation: The ransomware spread laterally across approximately 80% of Hamilton’s network within days. Proper segmentation can contain breaches to limited zones, preventing attackers from crippling broad sections of infrastructure.
4. Conduct frequent phishing simulations and employee training: Infections originating from a single phishing email went undetected for over a week, demonstrating that human factors remain a primary attack vector. Ongoing awareness programs and realistic simulations can help reduce the risk of initial compromise.
5. Align cyber insurance with security posture: Hamilton’s $18.3 million bill highlights the importance of aligning insurance coverage terms with actual security controls. Organizations must ensure they meet all policy requirements, such as MFA and incident response plans.
6. Develop and exercise incident response plans: Although Hamilton contained the incident within 48 hours and maintained critical services, having a documented, regularly exercised incident response playbook would further reduce downtime and expedite decision-making under pressure.

Want to reduce your risk of falling victim to ransomware via credential-based attacks? Speak to a security expert today.