Last Updated: March 2021
Let’s not sugarcoat it: the CNA Financial ransomware attack in March 2021 was a disaster of epic proportions. One of the biggest U.S. insurance companies got hit by a phishing scam as basic as a fake browser update. Attackers waltzed in, hung around for over two weeks, stole data on 75,000 people (think Social Security numbers and health details), and locked up 15,000 systems with Phoenix CryptoLocker ransomware. The result? A record-shattering $40 million ransom payment just to get their business back online after three days of chaos. And the root cause? Legacy MFA that couldn’t stop a phishing email from turning into a financial nightmare.
How It All Went Wrong
On March 5, an employee clicked on a fake browser update—classic phishing 101. That single click handed over credentials and workstation access to the attackers, likely Evil Corp. Legacy MFA, with its reliance on passwords and flimsy second factors like SMS codes, didn’t stand a chance. Once inside, the attackers had free rein to move laterally, sniffing out sensitive data and planting ransomware across the network, including remote employee devices. They weren’t even detected for over two weeks. That kind of dwell time is a death sentence—IBM’s 2025 Cost of a Data Breach Report pegs the average time to identify and contain a breach at 241 days globally. By the time CNA realized what hit them, the damage was done.
Why Legacy MFA Is a Joke Against Phishing
Here’s the ugly truth: legacy MFA is built on a house of cards. Passwords can be guessed or stolen. SMS codes? Intercepted. Push notifications? Spoofed or socially engineered. The CNA attack started with compromised credentials, and once those were in hand, the game was over. Legacy MFA authenticates at the front door and then rolls out the red carpet for attackers to roam inside. There’s no real protection against phishing because the system still hinges on something stealable. And when you’re dealing with sensitive data on 75,000 people, that’s not just a flaw—it’s a catastrophe waiting to happen.
The Damage: More Than Just Money
Sure, the $40 million ransom stings—especially when IBM’s 2025 report notes the global average breach cost is already a hefty $4.44 million. But the real pain is the trust CNA lost. Customers’ personal data—names, Social Security numbers, health benefits—was snatched. That’s not something you recover from with a press release. Add to that three days of operational downtime, and you’ve got a textbook case of how legacy MFA fails when it matters most. This wasn’t just a breach; it was a wake-up call that credential-based security is a relic.
Time to Ditch the Old Garbage
CNA Financial’s nightmare proves one thing: relying on legacy MFA is like locking your house with a paper clip. Phishing attacks aren’t going away, and attackers are only getting smarter. Sticking with outdated authentication is a gamble no business can afford. The fix isn’t complicated, but it requires ditching legacy MFA entirely. The full technical breakdown of what actually works is at mfa2point0.com.
FAQ: Straight Talk for Frustrated IT Managers
Q: Why does legacy MFA keep failing against phishing?
A: Because it’s still tied to credentials—passwords, SMS codes, whatever—that can be stolen or tricked out of users. Phishing exploits human error, and legacy MFA has no real defense. Check out Prevention — Not Detection for a better way.
Q: How do I convince my boss to ditch this outdated junk?
A: Show them the numbers. Breaches like CNA’s cost millions—$40 million in this case alone. Legacy MFA isn’t saving money; it’s costing you everything. Point them to real solutions that stop attacks before they start.
Q: Is there any hope for securing remote employees with this mess?
A: Not with legacy MFA. Remote access is a goldmine for attackers when credentials are the key. You need something that cuts out stealable credentials altogether—start with understanding Coverage.