The UK’s Information Commissioner’s Office (ICO) has issued a clear warning: if your organisation suffers a preventable data breach due to not using multi-factor authentication (MFA), expect serious consequences, including substantial fines.
MFA is no longer a “nice to have”, it’s a basic expectation for any organisation handling sensitive data, especially in regulated sectors like financial services (FS). As Stephen Bonner, the ICO’s Deputy Commissioner, recently told Infosecurity Magazine, “There’s no excuse” for failing to deploy MFA across all external connections. It’s a mature and accessible technology, and the benefits far outweigh the costs.
The Risks are Real and Costly
This warning comes on the back of a £3.07 million fine issued to IT software provider Advanced after a 2022 ransomware attack. The breach exposed the personal data of nearly 80,000 people, including critical healthcare data and caused widespread disruption to NHS services.
One of the key failings? A customer account used by attackers didn’t have MFA enabled.
The ICO made it clear that not wanting to inconvenience customers isn’t a valid reason for skipping MFA. As Bonner stated, “If you’re entrusted with this kind of data, there’s a minimum set of standards you have to achieve, and this is absolutely one of them.”
Other contributing failures included poor patch management and inadequate vulnerability scanning, issues that any well-governed financial services organisation should already be addressing.
Why This Matters for Financial Services
Financial services firms are prime targets for cybercriminals due to the sensitive financial and personal data they handle. That makes MFA and increasingly, passwordless authentication a foundational layer of defence.
Regulators are taking notice. While the ICO typically focuses on working with organisations to improve their security posture, this case signals a shift. Fines will be issued when fundamental security controls are missing.
Worse, if you’re a data processor handling data on behalf of clients, you’re no longer shielded. This case marks the first time the ICO fined a processor directly, reinforcing that responsibility doesn’t lie with the data controller alone.
How Can we Help?
As a Gold Partner of RSA Security, DTE supports financial services organisations in rolling out robust, scalable MFA and passwordless solutions. RSA’s SecurID technology is trusted by banks, insurers, and investment firms globally and DTE has the expertise to implement it efficiently, without disrupting your operations.
We help financial services organisations align with FCA guidance, ISO 27001, and GDPR, ensuring security controls like MFA are not only implemented but also future-ready.
Get in touch for more information on how we can help you succeed and stay safe.
