The City of Hamilton published the bank account information of a corporation on its website Friday.

I (Joey Coleman) notified the City of the breach at 3:45 p.m. on Friday.

It was removed at approximately 4:45 p.m.

Unredacted Cheque Posted to City Website

The City Clerk’s Office included an unredacted cheque in an information package published as part of a Council agenda package. The cheque proved that a legal firm had paid a filing fee on behalf of one of its clients.

While the package is technically a public document that anyone could request to view at City Hall, publishing it online significantly increases exposure of the sensitive banking information.

The release of the banking information increases phishing risk for the exposed party.

City of Hamilton Lost Hundreds of Thousands to False Vendor Frauds – Phishing Risk

The Office of the City Clerk is part of Hamilton’s Finance and Corporate Services department.

FCS, as it is known at City Hall, staff are presently undergoing basic financial and fraud prevention training following a series of vendor frauds in which City staff transferred hundreds of thousands of dollars to individuals posing as vendors the City owed funds to.

In one instance involving a $552,000 transfer, the City failed to heed repeated warnings. A few weeks before the City sent the $552,000 wire transfer, the legitimate vendor emailed the City, “advising that they had experienced a security breach” and asked the City “to call them if any requests to change their banking were made.”

Release of Banking Info Increases Fraud Risk

The publication of the banking information creates an increased fraud risk for the legal firm. Fraudsters harvest vast amounts of data on the internet. They combine personal and financial information from other privacy breaches to convincingly impersonate individuals and firms, equipped with enough real information to appear credible. 

Production Details
v. 1.0.0
Published: June 30, 2025
Last updated: June 30, 2025
Author: Joey Coleman

Update Record
v. 1.0.0 original version

Join the Conversation

2 Comments

TPR welcomes constructive and civil discussion. Comments are moderated.
Leave a Reply to H Cancel reply

Your email address will not be published. Required fields are marked *

  1. This is uber stupid. Hasn’t the city learned yet? Any change in payment information for any vendor, regardless of how small the amount might be should be verified by phone first. It’s standard cyber security 101. The City of Burlington’s been caught with their pants down twice on this now. You’d think the City of Hamilton would have used that as a free lesson in secure payment protocol. Especially after the hacking fiasco a few years ago.

    Reply
  2. Reply