Multi-factor Authentication (MFA) Bypassed to Permit Data Breach
Monday, April 1, 2024
hackers bypass multi-factor authentication security
Print Mail Download i

As organizations continue to take steps to prevent cyberattacks, a near-universal recommendation is that they should implement multi-factor authentication (MFA), and for good reason. Organizations subject to the updated FTC Safeguards Rule, for example, are required to implement MFA. The Cybersecurity & Infrastructure Security Agency (CISA) includes MFA as a best practice. And for the insurance industry, “MFA has quickly become a minimum standard requirement for companies to be considered for cyber insurance coverage.”

However, according to a recent HIPAA Journal article, bad actors figured out a way around MFA (no April Fool’s joke here!):

The Los Angeles County Department of Mental Health has recently notified the California Attorney General about a breach of an employee’s email account. The email account had multi-factor authentication (MFA) in place; however, MFA was bypassed. The cyber threat actors bypassed MFA using a technique known as push notification spamming, where a user is sent multiple MFA push notifications to their mobile device in the hope that they will eventually respond. The employee did respond, resulting in their email account being compromised.

This is not to say that MFA is not a critical safeguard for securing an organization’s systems. But, it also is not the first instance of MFA being bypassed. Instead, the incident referred to above should be a reminder that no means of system security is perfect. Organizations need to continue to make reasonable efforts to identify vulnerabilities and address them. They should not be overconfident in the security that MFA provides.

There are several ways to strengthen MFA, including through the use of hardware-based MFA, limiting login attempts, training, etc. That determination should be part of an ongoing process of continually monitoring the organization’s systems and assessing information risk, including by way of the enhanced capabilities and creativity of bad actors, including as aided by AI. Doing so will not only help to protect the organization, but it also will improve its defensible position in a litigation or compliance review, and avoid a data breach.

Jackson Lewis P.C. © 2024

Current Legal Analysis

More from Jackson Lewis P.C.

District Court Strikes Portions of Inglewood’s Healthcare Worker Minimum Wage Ordinance
by: Jonathan A. Siegel , Allen F. Acosta
Reminder: San Francisco Employer Annual Reporting Form Due May 3
by: Harold R. Jones , Julia A. Olivier
Addressing Multinational Labor and Employment Law Issues Through an International Alliance [Podcast]
by: John L. Sander
Nuanced Privacy Laws Means Healthcare Organizations Should Prioritize Protecting Personal Information
by: Michael R. Bertoncini
Reports Confirm Need for Employers to Foster Inclusive Work Environment for Black, LGBTQIA+ Youth
by: Teresa Burke Wright
U.S. Supreme Court: Alleging Discriminatory Transfer Is Sufficient Harm to Bring Title VII Claim
by: Stephanie L. Adler-Paindiris , Michael R. Hatcher
New York State Budget Includes Enhanced Employer Obligations
by: Richard Greenberg , Tania J. Mistretta
SDNY Denies Leave to Amend ERISA Complaint with “Substantively the Same Defects” as Dismissed Complaint
by: Alex E. Hotard , Phillip C. Thompson
Should We Submit Missing Participant Data to the DOL with the Plan’s Form 5500?
by: Suzanne G. Odom
USCIS Updates Form N-400 Application for Naturalization
by: Michael H. Neifach , Porter S. Young

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins