Professional service firms rely on trust. Whether you’re an IFA, solicitor, accountant, mortgage broker, planning consultant or charity, your clients expect their information to be protected at every stage.
But what if a password your team hasn’t used in years could still unlock your systems?
That’s exactly what happened in a recent large‑scale cyber incident. No dramatic hacking attempts. No clever exploitation. Just old login credentials quietly doing damage.
And the businesses affected all had one thing in common: they weren’t enforcing MFA.
How attackers gained access — and why it worked
A cybersecurity investigation uncovered that criminals were collecting sensitive data from organisations across the world using a method called infostealing malware.
This malicious software silently extracts saved passwords and login details from any device that’s been used to access work systems. And that includes:
- Home laptops
- Personal devices
- Outdated office machines
- Any device used to log into cloud or web‑based applications
Once stolen, the passwords often sit on the dark web for years before being used.
And that’s where the real problem lies.
Many of the passwords used in this attack were several years old — yet they still worked.
For professional service firms handling financial documents, legal files, planning data or donor records, that’s a nightmare scenario.
It revealed two critical issues:
- Passwords weren’t being refreshed
- Old accounts and credentials were still trusted by systems
That means a device infected years ago can become a modern‑day threat without warning.
The simple safeguard that was missing: MFA
Every business involved allowed access using only a username and password.
In professional services — where compliance frameworks like FCA, SRA, GDPR and charity governance demand stronger controls — this is a major vulnerability.
MFA (Multi‑Factor Authentication) adds a quick second step to logins, such as:
- A code sent to your phone
- A mobile app approval
- A biometric scan
This single extra step instantly disables the value of stolen passwords.
If MFA had been in place during these attacks, the criminals would have been completely blocked.
“But MFA is inconvenient…”
We hear this a lot.
And yes, MFA adds a few seconds to the login process. But compare that to:
- Leaked client financial data
- Compromised legal files
- Misused planning documents
- Breached donor or supporter information
- Business disruption
- Reputational harm
For professional services, where confidentiality and compliance are non‑negotiable, MFA isn’t a nice‑to‑have — it’s essential.
Old mistakes don’t disappear — but you can stop them becoming threats
Cybercriminals rely on outdated credentials sticking around.
MFA prevents old, forgotten passwords from becoming open doors into your systems. It turns stolen logins into worthless strings of characters.
For firms that want to protect client data, meet compliance obligations and reduce risk, enforcing MFA is one of the simplest, strongest steps you can take.
If your organisation needs help reviewing its security or implementing MFA, we’re here to support you.
What next?
One of my passions is helping businesses to succeed and if I can help you save some money as well – even better. You can fill out our contact form, phone us or click on the appointment button below and let’s start a conversation to see if I can help your business. Our guarantee:
- There are no hidden charges – this is a 100% free 15 minute consultation with no hidden charges.
- We will never spam you or sell on your contact details.
- We will treat your information with absolute confidentiality.
Other Posts for you to Enjoy
