City believes personal data is safe during Hamilton cyberattack. Experts say that's unusual

In the two weeks since a ransomware attack against the City of Hamilton downed multiple city services, officials have maintained they believe no personal information has been compromised. 

"That's nice to believe and I like to think that unicorns still exist somewhere in the world, but I don't think it's very likely," hacker and cyber expert Jayson E. Street told CBC Radio's Day 6 this past week, reflecting on the case. 

Local officials have been tight-lipped about the hack, saying the sensitive nature requires discretion. But cybersecurity experts tell CBC that generally, it's rare for personal information to be spared in an attack like this.

Street said that often, criminals will not only steal and ransom data, but copy it and extort targets by threatening to release it publicly. Street gets hired to test companies' defences by trying to hack through them using methods such as fake websites, or deceiving workers to gain physical access to computers and restricted areas.

He says cities' systems have too many access points to count, and hackers can exploit all of those.

The city hasn't shared how ransomware got into its system, but that sort of software generally works by blocking a user from accessing their system or data until they pay a sum of money. According to the Canadian Centre for Cyber Security, it's likely the most disruptive form of cyber crime and can take out entire systems. 

Calvin Chrustie, a risk consultant and former RCMP senior operations officer, previously told CBC Hamilton that the city "would be considered extremely fortunate if they [the attackers] didn't have access to some personal data in a situation like this."

CBC Hamilton asked officials if they still believe personal information to be safe, how confident they are and why. A Hamilton spokesperson did not respond by deadline. 

Day 69:26A hacker's advice to cities hit by ransomware attacks

Hamilton, Ontario, confirmed this week it was hit by a ransomware attack that took many of its services off-line and shut down city council meetings. Jayson E. Street, a hacker who gets hired to test companies' defenses by trying to hack through them, says cities are extraordinarily vulnerable right now, but that there are ways to keep themselves safe and everyone's data secure.

Cyber attack started over two weeks ago

On Feb. 25, the cyberattack shut down most city phone lines, paused council and committees — meetings are set to restart March 27 — and disrupted services including the library, bus schedule app and payment processing.

City manager Marnie Cluckie has said it's "impossible to know" how long it will take to get operations back.

In an email Monday, a city spokesperson told CBC Hamilton the municipality is delayed in processing approximately $36 million in pre-authorized property tax payments, "until such time as services are restored."

How ransomware attacks work and their sweeping impacts

9 months ago

Duration 2:37

McMaster University Prof. Andrea Zeffiro, who focuses on critical data studies, says vulnerable communities are more likely to be impacted by the attack that's suspended Hamilton services for over a week.

On Tuesday, Mario Posteraro, president of OPSEU Local 256 which represents over 450 paramedics, was one of several union leaders who shared ways in which the attack is affecting their members.

He said some workers haven't been able to get paid for overtime work and have concerns about whether their personal information has been breached.

As an employer and through its programs, the city collects a wide range of information, from worker banking data to addresses of families who use services like recreation centres and housing support. 

Municipalities are appealing targets for criminals

Hamilton is far from the only municipality dealing with cyber threats. Huntsville is dealing with an attack which began on Monday and the Toronto Public Library recently recovered from an attack after four months. 

Last week, Kush Sharma, a director at Municipal Information Systems Association Ontario, told CBC Hamilton that municipalities house critical systems such as water and transportation, and that attackers want targets where they can shut down services or steal personal information they can use as leverage for payment.

Municipal breaches are not tracked by one body, Sharma said, but based on a survey his organization conducted in 2023, municipalities that faced significant breaches took up to a month to recover critical systems and faced ransom demands ranging from less than $50,000 to over $1 million. 

Street told Day 6 that preventing attacks involves making workers more aware of threats, because employees are often the first line of a system's defence.

"We don't assume risk sometimes. When we feel like we're in a safe area … we forget that there's going to be danger," he said. 

You can't foolproof a system, he said, but dividing systems to limit access to personal and private data helps.

"Even if they break into the rest of the castle and they sack the castle and they get all the employee emails and they get all the transactions and bring down the web server … they still didn't have access to the crown jewels."