Why Multi-Factor Authentication Could Have Prevented the Synnovis Death

Technical AnalysisAuthenticationRansomware Defence
Written By Noel Bradford

Why Multi-Factor Authentication Could Have Prevented the Synnovis Death

On 3 June 2024, the Qilin ransomware gang compromised Synnovis, an NHS pathology provider, through credential-based access. A patient died because blood test results were delayed. Beverley Bryant, who served as Chief Digital Information Officer at the affected NHS trusts during the attack, stated publicly that the breach "may not have happened" if two-factor authentication had been in place.

This is not speculation. This is technical fact. Let me explain exactly how multi-factor authentication blocks the attack vector that Qilin used, and why this death was entirely preventable.

How Credential-Based Attacks Work

The majority of ransomware attacks, including Synnovis, begin with stolen credentials. According to Mandiant's M-Trends 2025 report, stolen credentials are now the primary initial access vector, surpassing all other methods including phishing and exploitation of vulnerabilities.

Here is the typical attack sequence:

Stage 1: Credential Acquisition

Attackers obtain valid usernames and passwords through multiple sources:

  • Data breaches at other organisations (credential stuffing)

  • Phishing campaigns targeting employees

  • Info-stealer malware on personal devices

  • Purchase from dark web marketplaces

  • Social engineering attacks

Stage 2: Initial Access

With valid credentials, attackers authenticate to legitimate services:

  • Email accounts (Microsoft 365, Google Workspace)

  • VPN endpoints

  • Remote desktop services

  • Cloud management consoles

  • Administrative portals

Because the credentials are valid, this access appears completely legitimate to security systems. No alarms ring. No unusual behaviour is flagged. The attacker looks exactly like the legitimate user logging in.

Stage 3: Privilege Escalation and Lateral Movement

Once inside with one set of credentials, attackers:

  • Harvest additional credentials from memory

  • Extract passwords from browser stores

  • Dump credentials from Active Directory

  • Move laterally through the network

  • Escalate to administrative accounts

Stage 4: Ransomware Deployment

With administrative access established, attackers deploy ransomware across the organisation's systems. By this point, they have often been inside the network for days or weeks, studying the infrastructure and ensuring maximum damage.

How MFA Breaks This Chain

Multi-factor authentication requires two independent pieces of evidence to prove identity:

  • Something you know (password)

  • Something you have (phone, security key, authenticator app)

  • Something you are (biometric)

Even if an attacker steals your password, they cannot authenticate without the second factor. Let me show you why this is technically effective.

Breaking Stage 2: The Critical Intervention

MFA stops the attack at Stage 2, initial access. Even with valid stolen credentials, the attacker hits a wall.

Without MFA:

  1. Attacker enters stolen username and password

  2. System validates credentials

  3. Access granted

  4. Attack proceeds

With MFA:

  1. Attacker enters stolen username and password

  2. System validates credentials

  3. System requests second factor (push notification, code, security key)

  4. Attacker does not have access to victim's phone or security key

  5. Authentication fails

  6. Attack stops

The attacker is locked out. The compromised credentials are useless. The attack chain is broken before any damage occurs.

Why Attackers Cannot Bypass Modern MFA

Some people argue that MFA can be bypassed. This is technically true for weak MFA implementations like SMS codes, which are vulnerable to SIM swapping attacks. However, modern MFA using authenticator apps or hardware security keys is effectively impossible to bypass remotely.

FIDO2 Security Keys

Hardware security keys using the FIDO2 standard provide cryptographic proof of authentication. They:

  • Generate unique cryptographic signatures for each authentication

  • Bind authentication to the specific website or service

  • Prevent phishing because keys will not authenticate to fake sites

  • Cannot be remotely compromised or cloned

Authenticator Apps

Time-based one-time passwords (TOTP) generated by authenticator apps:

  • Generate codes that expire in 30 seconds

  • Require physical possession of the device

  • Synchronise using shared secrets that exist only on the device and server

  • Cannot be intercepted remotely without compromising the physical device

The Synnovis Reality

According to published reports, Synnovis did not have MFA enabled on the systems that Qilin compromised. This created a situation where:

  1. Qilin obtained valid credentials (method not publicly disclosed)

  2. Qilin authenticated to Synnovis systems using these credentials

  3. No additional verification was required

  4. Qilin gained access to pathology management systems

  5. Qilin deployed ransomware

  6. Blood testing services collapsed

  7. A patient died waiting for results

If MFA had been enabled, Step 3 would have failed. Qilin would not have gained access. The ransomware would not have been deployed. The patient would have received their blood test results. They would likely still be alive.

The Cost of Implementation

Here is the truly infuriating part. MFA costs nothing.

Microsoft 365

MFA is included free in all Microsoft 365 plans. You enable it through the admin portal. It takes approximately 15 minutes to configure organisation-wide policies.

Google Workspace

Two-factor authentication is included free in all Google Workspace plans. Configuration through the admin console takes approximately 10 minutes.

Most SaaS Applications

The vast majority of cloud applications include MFA as a standard feature. Those that charge extra for MFA should be viewed with deep suspicion and replaced with competitors who do not extract additional payment for basic security.

Hardware Security Keys

Even if an organisation chooses to deploy FIDO2 hardware security keys for maximum security, the cost is approximately £20-40 per user. For an organisation the size of Synnovis, this would represent a capital expenditure of perhaps £50,000-100,000 maximum. Compare this to the £37.7 million cost of the breach.

Implementation for Small Businesses

If you run a small business, here is your action plan:

Step 1: Audit Current MFA Status

Create a spreadsheet listing every service your business uses:

  • Email platform

  • Accounting software

  • CRM system

  • Cloud storage

  • Any administrative portals

  • Website hosting control panels

For each service, document:

  • Does MFA exist? (Yes/No)

  • Is MFA enabled? (Yes/No)

  • What type of MFA? (SMS/App/Hardware Key)

Step 2: Enable MFA Everywhere Possible

Start with your most critical systems:

  • Email (highest priority - email compromise leads to everything else)

  • Financial systems

  • Customer databases

  • Administrative accounts

Work through your entire list systematically. Do not skip services because they seem low-risk. Attackers often compromise low-value accounts first, then pivot to higher-value targets.

Step 3: Choose Strong MFA Methods

Avoid SMS-based MFA where possible. Use:

  • Authenticator apps (Microsoft Authenticator, Google Authenticator, Authy)

  • Hardware security keys (YubiKey, Titan Security Key)

  • Biometric authentication on trusted devices

Step 4: Plan for Device Loss

Establish backup authentication methods:

  • Backup codes stored securely (physical safe, password manager)

  • Multiple authenticator devices per user

  • Recovery contact procedures

Step 5: Train Your Staff

Your employees need to understand:

  • Why MFA matters (use the Synnovis case as an example)

  • How to use their authentication method

  • What to do if they lose their phone or security key

  • How to recognise and report MFA fatigue attacks

The MFA Fatigue Attack (And How to Defend Against It)

Modern attackers have adapted to MFA with "MFA fatigue" attacks. Here is how they work:

  1. Attacker obtains valid password

  2. Attacker attempts to authenticate, triggering MFA prompt

  3. User receives authentication request, denies it

  4. Attacker immediately tries again

  5. Attacker sends dozens or hundreds of authentication requests

  6. Exhausted user eventually approves one just to stop the notifications

Defence: Configure MFA to require number matching. Modern MFA systems display a number on the authentication screen that users must type into their authenticator app. This prevents automatic approval and forces conscious engagement with each authentication attempt.

Why This Matters Beyond Synnovis

The Synnovis case is horrific, but it is not unique. According to Mandiant's M-Trends 2025 report, credential-based attacks are now the dominant threat vector globally. Every organisation without MFA is vulnerable to exactly the same attack that killed a patient at a London hospital.

This is not theoretical risk. This is demonstrated, proven, documented reality. We know credential theft is the primary attack method. We know MFA blocks it. We know MFA is free. The question is no longer whether to implement MFA. The question is why any organisation has not already done so.

The Legal Implications

As we discussed in Monday's podcast episode, there is a growing argument that failure to implement free, standard security controls like MFA should constitute gross negligence when it results in serious harm.

If a construction company failed to provide hard hats and a worker died, directors would face criminal prosecution. The hard hats cost money. MFA is free. Yet when MFA is not implemented and a patient dies, nobody faces consequences.

This technical reality makes the legal argument even stronger. This was not a sophisticated attack that required advanced defences. This was criminals using stolen passwords because nobody bothered to enable the free authentication system that would have stopped them.

Your Next Steps

If you are responsible for cybersecurity in your organisation, your immediate actions are:

  1. Stop reading this article

  2. Open your administrative consoles

  3. Enable MFA on every system that supports it

  4. Create a plan to implement MFA on systems that do not currently have it

  5. Schedule training for your staff on using MFA

  6. Document what you have done and when

If you are a small business owner without technical expertise, contact a reputable IT support provider or managed service provider and specifically request an MFA implementation project. Budget approximately £500-2000 for a professional implementation including training, depending on your organisation size.

The Bottom Line

Multi-factor authentication would have prevented the Synnovis attack. A patient died because this free control was not enabled. There is no ambiguity here, no technical debate, no uncertainty.

MFA blocks credential-based attacks. Credential-based attacks are the primary threat vector. MFA is free and takes minutes to enable.

Every organisation without MFA enabled is one compromised password away from being the next Synnovis. The only question is whether you will implement basic security before or after your preventable disaster.

Technical Resources

Resource Link
Microsoft 365 MFA Setup Guide Microsoft Documentation
Google Workspace 2FA Configuration Google Admin Help
NCSC MFA Guidance for Enterprise NCSC Guidance
FIDO Alliance Security Key Information FIDO Alliance
Mandiant M-Trends 2025 Report Mandiant Research
Noel Bradford

Noel Bradford – Head of Technology at Equate Group, Professional Bullshit Detector, and Full-Time IT Cynic

As Head of Technology at Equate Group, my job description is technically “keeping the lights on,” but in reality, it’s more like “stopping people from setting their own house on fire.” With over 40 years in tech, I’ve seen every IT horror story imaginable—most of them self-inflicted by people who think cybersecurity is just installing antivirus and praying to Saint Norton.

I specialise in cybersecurity for UK businesses, which usually means explaining the difference between ‘MFA’ and ‘WTF’ to directors who still write their passwords on Post-it notes. On Tuesdays, I also help further education colleges navigate Cyber Essentials certification, a process so unnecessarily painful it makes root canal surgery look fun.

My natural habitat? Server rooms held together with zip ties and misplaced optimism, where every cable run is a “temporary fix” from 2012. My mortal enemies? Unmanaged switches, backups that only exist in someone’s imagination, and users who think clicking “Enable Macros” is just fine because it makes the spreadsheet work.

I’m blunt, sarcastic, and genuinely allergic to bullshit. If you want gentle hand-holding and reassuring corporate waffle, you’re in the wrong place. If you want someone who’ll fix your IT, tell you exactly why it broke, and throw in some unsolicited life advice, I’m your man.

Technology isn’t hard. People make it hard. And they make me drink.

https://noelbradford.com
Next

Should Directors Face Prison Time for Cybersecurity Negligence?