Bienvenido al Grupo CypSec
Nos especializamos en defensa avanzada y monitorización inteligente para proteger sus activos digitales y operaciones.
A wake-up call for companies and authorities.
Zurich, Switzerland - September 17, 2025
On February 25, 2024, the city of Hamilton, Ontario, became the victim of a sophisticated ransomware attack that crippled about 80 percent of its municipal network. Critical services such as business license processing, property tax administration, traffic planning, and financial and procurement systems were disrupted for weeks. The attackers demanded a ransom of 18.5 million Canadian dollars, which the city refused to pay.
What makes this incident particularly noteworthy is that the city's insurance company rejected its claim for damages due to the lack of full implementation of multi-factor authentication (MFA). As a result, the city had to bear the full costs on its own, which meant that investments in education and infrastructure had to be cut.
This incident shows that technical security measures alone are not enough to protect companies or municipalities from cyber risks. An often overlooked but crucial factor is the people behind the systems: their integrity, access rights, and actions. This is where background checks come into play.
The attackers gained access through an external, internet-facing server with weak login credentials. After a period of reconnaissance and lateral movement within the internal networks, they encrypted systems and data to make them unusable. Although they tried to destroy all backups, they failed, which allowed some data to be restored. However, the insurance company denied the claim because MFA had not been fully implemented at the time of the attack. The insurance policy explicitly stated that losses caused by the absence of MFA would not be covered.
"The Hamilton case shows how even the strongest technical safeguards can fail when human risks are left unaddressed. Our mission is to help organizations prevent such blind spots by embedding reliable background checks into their security strategies from the start," said Reto Marti, Chief Operating Officer at Validato AG.
Technical weaknesses were not the only entry point. Poorly vetted service providers and internal employees with elevated access rights also contributed to the disaster. Only the combination of missing MFA, inadequate human risk management, and lack of network segmentation created the perfect storm that cost the city dearly. Nearby universities like McMaster and colleges like Mohawk had the expertise to close such gaps routinely. Instead of trusting years of domestic research on network security, the city chose not to invest locally and instead relied on unvetted foreign security vendors.
While technical security measures like MFA are essential, human factors within a company or city administration must not be neglected. Comprehensive background checks are an effective tool to identify and mitigate potential risks posed by internal employees or external partners at an early stage. This includes verifying qualifications, professional history, and potential conflicts of interest before hiring to ensure that only trustworthy individuals are granted access to sensitive systems.
In addition, regular rescreenings are crucial to ensure the integrity and trustworthiness of employees and partners throughout their engagement. After the Hamilton incident, the city turned to vendors from the United States and the Big Four. To significantly reduce the high costs of consulting contracts, the city also hired a Canadian shell company, focusing only on price. That company had previously been banned from participating in public tenders in another province because its founder used fake identities and failed to deliver on past projects satisfactorily.
OSINT analysis could have been used in such cases to identify potential risks of external service providers or partners through publicly available sources. Background checks should always be tightly integrated into company-wide governance, for example by embedding them in compliance standards such as ISO/IEC 27001, to meet regulatory requirements and strengthen the security strategy. This could have prevented the direct dependency on foreign actors from arising in the first place.
The shell company mentioned earlier has since gone bankrupt. It is unclear whether sensitive data was leaked. What is certain is that costs have exploded, local taxpayers' trust has crumbled, and local experts were sidelined. To prevent such scenarios in the future, CypSec and Validato are working closely together to provide comprehensive background check solutions and help companies implement and continuously improve their human risk management strategies.
The Hamilton incident shows that cyber risks are not purely technical. Effective risk management must therefore address both technical and human factors. Companies should ensure that multi-factor authentication is implemented across the board to prevent unauthorized access. In addition, regular training is necessary to raise employees' awareness of security risks and increase their sensitivity to potential threats.
At the same time, companies should establish background checks to detect and mitigate potential risks from internal employees or external partners early on. Reviewing cyber insurance policies is also critical to ensure that existing security measures meet contractual requirements and provide protection when needed. Only the consistent combination of all these measures can effectively secure systems and sustainably reduce the risk of cyberattacks.
The attack on Hamilton could potentially have been prevented or at least mitigated through the early implementation of MFA and comprehensive background checks. Instead, uninvolved citizens now have to pay for the mistakes of a few decision-makers. Companies should therefore not rely solely on technical solutions but also incorporate the human factor into their security strategies. As this case shows, a single missing puzzle piece can bring down an entire security mechanism.
About Validato AG: Headquartered in Zurich, Switzerland, Validato AG provides digital background check and human risk management services to help organizations identify and mitigate insider threats before they cause harm. Its platform supports pre-employment vetting, ongoing employee rescreenings, and partner integrity checks, integrating directly into HR and compliance workflows to reduce risk exposure. For more information on Validato AG, visit validato.com.
Media Contact: Frederick Roth, Chief Information Security Officer at CypSec - frederick.roth@cypsec.de.
Nos especializamos en defensa avanzada y monitorización inteligente para proteger sus activos digitales y operaciones.
