Ontario’s Ministry of Economic Development, Job Creation and Trade stated in a filing to Ontario’s Information and Privacy Commission that URLs (website addresses) for one of its internal databases should not be disclosed because releasing the records “could reasonably be expected to endanger the security of information stored in its electronic Client Relationship Management System (eCRM).”

In a decision posted to CanLII today, the IPC agreed and ruled the URLs need not be disclosed.

In its submissions, the Ministry stated:

“… a phishing attack, if successful, could open the door for ransomware attacks, which could disable public institutions’ IT systems, for example, most recently, on February 15, 2024, a ransomware attack disabled some of the City of Hamilton’s IT systems and disrupted services to the public. While the City of Hamilton has restored many of their services, a timeline for full recovery is not yet known.”

The City of Hamilton has previously disclosed a ransom was demanded.

City Council has not revealed details regarding how the failure occurred, nor why the City failed to have backups, two-factor authentication for superusers and IT administrators, or why nearly every City system — including emergency services backup centres — were all interconnected.

The Ministry’s statement says the Hamilton incident began on February 15, 2024.

More than sixteen months later, the City of Hamilton is still working to restore some municipal services.

The City incident is being monitored by other government bodies across Canada and beyond due to the extent of the breach.


Production Details
v. 1.0.0
Published: July 3, 2025
Last updated: July 3, 2025
Author: Joey Coleman

Update Record
v. 1.0.0 original version

Leave a comment

TPR welcomes constructive and civil discussion. Comments are moderated.

Your email address will not be published. Required fields are marked *