Another year, another ransomware attack, another multi-million pound fine. And yet again, the root cause is depressingly familiar (and so simple to avoid).
This time it’s Advanced Computer Software Group Ltd, fined £3.07 million by the ICO after a ransomware attack in August 2022 exposed the personal data of 79,404 people, including highly sensitive health and care information. Among the data taken were details that could be used to gain entry to the homes of nearly 900 vulnerable people receiving care at home.
The attackers didn’t need any fancy new hacking techniques or Hollywood style hacking skills. They got in through a customer account that did not have multi‑factor authentication (MFA) enabled.
It was that simple.
Enabling MFA but not enforcing it is pointless
One of the most striking parts of the ICO’s findings is that MFA was deployed across many of their systems. But it wasn’t deployed everywhere.
That gap, a single account without MFA, was enough for attackers to gain a foothold, deploy ransomware, and disrupt critical services including NHS 111.
The ICO was explicit in its conclusion:
-Lack of comprehensive vulnerability scanning
-Inadequate patch management
In other words, this wasn’t about a complete absence of security controls, it was about incomplete enforcement.
Optional MFA is not a control, it’s a risk
We still hear organisations say things like:
-“MFA is available if users want it.”
-“We’ve rolled it out to admins, not standard users.”
– “It’s on most systems, just not that one.”
This case shows exactly why this thinking is dangerous.
If MFA is optional, attackers will find the accounts where it isn’t enabled. If MFA only covers some systems, attackers will target the ones it doesn’t. If MFA is treated as a ‘nice to have’, it becomes a weak link in your security posture.
From a regulator’s perspective, optional MFA is increasingly indistinguishable from no MFAat all.
The ICO’s message could not be clearer. John Edwards, the Information Commissioner, didn’t mince his words:
“The lack of complete coverage meant hackers could gain access, putting thousands of people’s sensitive personal information at risk.”
And more pointedly:
“I urge all organisations to ensure that every external connection is secured with MFA today – there is no excuse for leaving any part of your system vulnerable.”
This is not guidance anymore. It’s an expectation.
MFA is no longer ‘best practice’, it’s baseline security
For years, MFA has been described as a best practice. In reality, it has become baseline security hygiene, particularly for:
-Email accounts
-Remote access (VPN, RDP, cloud portals)
-Privileged and admin accounts
-Third-party and supplier access
-Cloud services such as Microsoft 365, Google Workspace and line of business platforms
Regulators, insurers, and frameworks like Cyber Essentials have been moving in this direction for some time. What this fine shows is that failure to fully enforce MFA now carries significant financial and regulatory consequences.
£3.07 million is not a theoretical risk. It can be a real invoice sent to your company.
“We’ll turn it on later” is no longer defensible
Advanced Computer Software Group’s fine was originally proposed at £6.09 million, reduced only after cooperation with the NCSC, NCA and NHS, and steps taken after the attack.
That reduction doesn’t change the core finding: the breach should not have been possible in the first place.
From a governance and risk perspective, organisations should be asking themselves:
-Do all user accounts have MFA enforced?
-Do all external access points require MFA?
-Are service accounts, legacy systems and third-party connections included?
-Is MFA enforced by policy, not left to user choice?
If the answer to any of these is “no”, you’re relying on hope as a security strategy.
Lessons Learned
MFA must be:
-Mandatory
-Comprehensive
-Enforced by policy
-Applied to every external connection
Not optional. Not partial. Not “we’ll get to it later”.
Because attackers only need one account without MFA. And as Advanced Software Group has discovered that single gap can cost millions.
Want to know where your gaps are?
Mandatory MFA is just one part of the picture. Regulators and attackers alike are looking at the whole security posture (identity, patching, vulnerability management, access controls and monitoring).
If you’d like to:
-Understand which security controls are mandatory versus recommended for your organisation
-Check whether MFA is fully and correctly enforced across all accounts and systems
-Identify gaps before attackers do
Talk to an expert.
At Consider IT, we help organisations assess, implement and enforce the security controls that matter – not just to pass a framework, but to reduce real-world risk.
Get in touch to find out whether your security controls would stand up to scrutiny before you become the next cautionary tale.
