DOSSIER №02 — MAY 2026
Hamilton knew.
Three years before the February 2024 ransomware, Hamilton's IT audit flagged critical weaknesses. The recommendations were not all actioned. The recovery is $18.3 million.
The City of Hamilton's internal IT audit identified critical weaknesses in its systems approximately three years before the February 2024 ransomware attack that has now cost the city CAD $18.3 million in recovery. The audit findings were on the record. The remediation, in material part, was not.
The City of Hamilton suffered a ransomware incident in February 2024 that took multiple municipal systems offline. Recovery has been ongoing through 2024 and 2025. As of the City's own post-incident summary published 30 July 2025, the financial impact totals approximately CAD $18.3 million. The municipality's insurance claim, by the city's own disclosure, was denied.
The detail that elevates this from one incident into a procurement-governance question is that Hamilton's internal IT audit had already flagged critical weaknesses in the city's systems approximately three years prior. The audit findings existed on the record. The remediation, in material part, did not happen between the warning and the breach. The gap between audit and remediation is where the breach lives.
Hamilton is named here because Hamilton is the documented case. The pattern — an audit identifying weaknesses, recommendations queued behind other priorities, exposure that persists through the next budget cycle — is not unique to Hamilton. Audits exist in every municipality. The Office of the Auditor General has separately reported that the federal government does not maintain a comprehensive, up-to-date inventory of IT assets, which means downstream municipalities often cannot tell which vulnerabilities they are exposed to in the first place.
For a CAO reading this dossier: the question is not whether the practice you currently work with is competent. The question is which previously-flagged audit findings against your public-facing systems are still open, and whether the next procurement cycle is the one that closes them. A rebuild on auditable static architecture — no PHP, no database, no plugin supply chain, no third-party admin surface — closes a specific category of long-standing audit findings in one procurement cycle. Under the threshold, over the standard.
The Fit For Gov delivery model is sized to land beneath the direct-award ceiling in most Canadian provinces (NWPTA $75,000 for BC, AB, SK, MB; CFTA $139,000 elsewhere), so the closing of those audit findings does not require a tender, a procurement committee, or a multi-quarter approval cycle. The principal signs every deliverable.