Hamilton’s City Clerk Matthew Trennum said the latest privacy breach by a section of the City Clerk’s Office was caused by a software bug involving eScribe’s online services, which the City of Hamilton uses to organize council meetings.
“This breach resulted from a vulnerability in third-party software specifically eScribe’s Board Manager program. This issue was related to the vendor’s software and was not specific to the City of Hamilton,” Trennum said in a written response to questions. “A configuration error by the vendor made certain applicant profiles accessible through direct links, although they were not intentionally published or broadly visible online.”
On January 29, 2026, a citizen notified two members of City Council that confidential citizen applications were published on the City’s public agendas portal. The councillors immediately notified the Clerk’s Office and the information was quickly removed from the internet.
During a follow-up in-person interview, Trennum said access logs revealed that only one person’s application was accessed, by the citizen who reported the breach, and that person has confirmed they have not retained a copy. The citizen who filed the report is also a member of another City committee.
“There is no evidence to suggest that any information was misused,” Trennum stated in his written response. “However, out of an abundance of caution, the City has notified all affected individuals and reported the incident to the Information and Privacy Commissioner.”
Thirty-three individuals were notified.
During the follow-up interview, Trennum said the City continues to implement better systems and processes to prevent privacy breaches, though he did not provide specifics on what those measures entail.
This is the sixth known privacy breach by the City Clerk’s division in less than three years.
In June 2025, the office published the bank account information of a corporation. A law firm had paid a mandatory Planning Act fee using a cheque, and the City published a copy of the cheque in a Planning Committee agenda.
In April 2025, the office disclosed the home address, personal phone number, and personal email of a person who requested to delegate to council.
In January 2025, the municipality shared the personal information of a delegate with “three Hamiltonians” who did not work for the municipality. The City did not explain the identities of those individuals or how the breach occurred.
In January 2024, the office published the personal information of 36 people who delegated to city council.
During the 2022 municipal election, the City Clerk’s Office committed the largest-ever municipal election privacy breach, revealing the identities and personal emails of hundreds of people who registered to vote by mail.
The City’s February 2024 cybersecurity breach was one of the largest privacy breaches in Canadian municipal history.
Ontario’s Information and Privacy Commissioner has ruled, in other cybersecurity breaches, that the encryption of personal information constitutes a privacy breach — a determination Hamilton initially disputed. The Divisional Court upheld the Commissioner’s interpretation, confirming that cybersecurity failures are privacy breaches under Ontario law.
In July 2025, the Police Board’s Executive Director, a City of Hamilton employee, published the home address and personal cellphone number of a delegate.
In each of these past incidents, the City of Hamilton pledged that its digital process improvements would prevent future privacy breaches.
Production Details
v. 1.0.0
Published: May 2, 2026
Last updated: May 2, 2026
Author: Joey Coleman
Update Record
v. 1.0.0 original version