“MFA wasn't enough - and their ACC contract was on the line.”
How a Christchurch counselling practice survived a cyber breach, protected their clients, and kept their ACC contract - before becoming an ITstuffed client
The Situation
A Christchurch counselling practice with 20 staff received what looked like a routine email. One staff member clicked a link, entered their credentials on what appeared to be a legitimate login page - and handed an attacker a live session token. The phishing site had been designed specifically to bypass their existing multi-factor authentication.
Because the compromised account belonged to a trusted member of the team, the attack spread internally. Several more accounts were affected before the breach was detected. The practice faced an urgent Privacy Commissioner notification obligation and real concern about their ACC contract - for a counselling practice, ACC funding is the financial backbone of the business.
How ITstuffed Helped
ITstuffed was brought in during the incident. Working alongside the practice's cyber insurance provider, a designated cyber forensics team, and legal counsel, we helped coordinate containment, investigation, and communication - while the practice focused on keeping their staff and clients supported.
The forensics team found it highly unlikely that client data had been exfiltrated. That finding shaped the notification process and ultimately protected the practice from a far worse outcome. Stabilising the practice took several days. Throughout that period, ITstuffed acted as the technical lead - translating between forensics, insurers, and lawyers on one side, and the practice's staff on the other.
Where They Are Now
The practice is an active ITstuffed client. The core security controls are in place. We are currently working with them on the longer-term governance layer: written security policies, a disaster recovery plan, and a business continuity framework - so that if something unexpected happens again, the practice has a clear, tested plan rather than having to work it out under pressure.
For a practice that depends on their ACC contract, this governance work matters beyond good housekeeping. Demonstrating documented policies, tested recovery plans, and active security oversight is increasingly what funders and regulators expect to see.
They had MFA. They had good intentions. They still got breached - because one well-crafted email was all it took. What protected them was having the right people in their corner when it mattered.
What We Put In Place Afterwards
Once the immediate crisis was resolved, the practice came on board as a managed services client. The controls we implemented would have prevented the breach entirely:
- Email filtering and anti-phishing protection - the malicious email would not have reached the inbox
- DNS filtering - even if a staff member had clicked the link, the connection to the malicious site would have been blocked before any credentials were entered
- Endpoint detection and response - unusual behaviour would have been flagged before the attack spread internally
- Identity threat detection and response (ITDR) with login monitoring - anomalous login activity, including use of a harvested session token from an unexpected location, would have triggered an alert and automatic response
- Staff security awareness training - recognising phishing attempts, including the sophisticated kind designed to defeat MFA
- Password manager and credential hygiene - eliminating reused and weak credentials
- Privileged access controls - limiting what a compromised account can access and do
On MFA: the practice already had it in place, and the attacker still got through. A fake login page can harvest a valid session token in real time, making standard MFA ineffective on its own. Layered security - where no single control is the last line of defence - is what actually stops these attacks.
Related reading
Why MFA Wasn't Enough to Stop a Healthcare BreachThe same incident, explained in full - including the technical mechanics of how MFA was bypassed.
Could this happen to your practice?
If a staff member at your practice received a convincing email tomorrow - how many layers would catch it before it became a problem? Book a free IT Fit Check to find out where your current setup has gaps.