Cyber Incident Victim: City of Burlington

On May 16, 2019, the City of Burlington transferred approximately $503,000 to a fraudulent bank account after falling victim to a phishing attack. City staff received a sophisticated email impersonating an established vendor, requesting a change to the vendor’s banking information. The falsified documents accompanying the email displayed a level of complexity not commonly observed in typical phishing attempts, according to subsequent statements by Burlington Mayor Marianne Meed Ward. The city processed the fraudulent banking update and executed the transfer before detecting the deception on May 23, 2019—seven days after the initial transaction. Upon discovery, municipal authorities immediately notified their financial institution and the Halton Regional Police to initiate recovery efforts and a criminal investigation. The city confirmed its internal IT systems remained secure throughout the incident, with no evidence of unauthorized access, data breaches, or compromise of personal information.

Burlington’s interim city manager, Tim Commisso, publicly affirmed the seriousness of the incident while announcing an independent external investigation to review procedural failures. This review would report findings directly to the city council and audit committee, alongside the ongoing police investigation. Municipal officials implemented additional internal financial controls to prevent recurrence but acknowledged that further process adjustments might follow the external review’s recommendations. The city characterized the event as part of a broader pattern of targeted cyber-fraud schemes affecting governments and businesses with increasing sophistication. Mayor Meed Ward emphasized the necessity for heightened vigilance against online scams and urged prompt reporting to authorities, underscoring that public institutions face comparable risks to individuals in phishing scenarios. No recovery status for the transferred funds was disclosed in available reports.