Skip to content
The Cadarn IT team

One Password, 700 Jobs: a Ransomware Lesson for Your Practice

A 158-year-old firm collapsed after one guessed password let ransomware in. Here is what that near-miss teaches a North Wales accountancy practice about MFA and backups.

  • Security
  • Ransomware
  • Backup
A locked padlock resting on a laptop keyboard, suggesting a compromised login

Picture this. It is the third week of January. Your team is filing self-assessment returns at full tilt, the inbox is heaving, and a partner sits down at 8am to find every file on the network renamed and locked. A note on the screen demands payment. Nobody can open IRIS. Nobody can reach the client documents. The deadline does not move.

That scenario is not hypothetical. In 2023 a logistics company called KNP, a firm that had traded for 158 years and employed around 700 people, was hit by ransomware and never recovered. Within three months it had gone into administration. The way the attackers got in is the part every accountancy practice should sit with for a moment.

It started with one password

The attackers did not use anything exotic. They guessed an employee’s password on a remote-access system, the kind of login people use to reach work from home. Once they were in, they encrypted the company’s data, destroyed the local backups so nothing could be restored, and demanded a ransom of around five million pounds.

KNP had the things you would expect a sensible business to have. Antivirus. Firewalls. Backups. Monitoring. Even cyber insurance. What it did not have switched on was multi-factor authentication, the second check that makes a guessed password worthless on its own. One missing setting on one account was the difference between a bad day and the end of the business.

Read that again, because it is the whole point. The company did not fail because it ignored security. It failed because of a single gap that looked small until the morning it wasn’t.

Why this lands harder for an accountancy practice

A haulage firm holds delivery schedules and customer accounts. Your practice holds something attackers find even more useful: National Insurance numbers, dates of birth, payroll records, bank details, UTRs, and years of clients’ financial history in one place. That is a goldmine, and it raises the stakes in three specific ways.

  • It becomes an ICO matter. Ransomware that touches client personal data is a reportable breach. You are likely looking at a 72-hour notification to the Information Commissioner’s Office, and possibly letters to every affected client explaining that their data was exposed.
  • It hits during the worst possible window. A practice that loses access to its systems in mid-January cannot file. Returns are late, penalties stack up for clients, and the reputational damage with those clients can outlast the technical fix.
  • It undermines the one thing you sell, which is trust. Clients hand you their most sensitive numbers because they believe you will keep them safe. A breach quietly contradicts that, and conservative clients have long memories.

The “it won’t happen to us” instinct is the genuinely dangerous bit. KNP was older, bigger and better resourced than most North Wales practices, and the attack still found the one door left unlocked. Size is not protection. A locked door is.

The handful of controls that actually move the needle

The reassuring news is that the fix is not expensive or dramatic. The same few basics that would have saved KNP map almost perfectly onto a small practice.

1. Multi-factor authentication, everywhere it matters

MFA means that even if someone guesses or steals a password, they still cannot log in without the second step on your phone. It is usually included free with Microsoft 365 and most cloud accounting tools, and it is the single highest-value change you can make.

Switch it on for email, your practice management and tax software, remote access, and any cloud bookkeeping platform. Yes, it adds a few seconds to logging in. Those seconds are the cheapest insurance you will ever buy. If you only do one thing after reading this, do this one.

2. Strong, unique passwords and a password manager

MFA is the seatbelt, but you still want a sound password underneath it. The attack on KNP worked because a password was guessable. The cure is not a sticky note of ever-longer passwords, which people reuse and forget. It is a password manager, a secure vault that creates a long, random, unique password for every account and fills it in for you.

Your team only has to remember one strong master password. Every other login becomes effectively un-guessable, and nobody is reusing the same word across the bank, the email and the tax software.

3. Backups you have actually tested

Here is the detail from the KNP story that should keep you up at night: the attackers destroyed the backups too. A backup that sits on the same network the ransomware can reach is not really a safety net.

You want backups that are offsite, kept separate so they cannot be encrypted, and, crucially, tested. The only backup worth having is one you have proven you can restore from. We walk through exactly how to get this right for a practice in how to back up your accountancy practice properly, and it pairs closely with a tested backup and disaster recovery plan.

4. A baseline you can point to

Pulling these habits together is what schemes like Cyber Essentials are for, and it is increasingly what clients and your professional body expect to see. If that is on your list, our plain-English guide to Cyber Essentials for accountancy practices is a good place to start, and our cyber security and Cyber Essentials work is built around getting practices certified without the jargon.

None of this requires you to become an IT expert

That is rather the point. You did not train as an accountant to spend your evenings reading about ransomware groups, and you should not have to. The controls above are routine, well understood, and quick to put in place once someone who knows the accountancy software and the January rhythm sets them up properly. That is the work Cadarn IT does day to day, and it is exactly what a free Practice IT Health Check is designed to surface: a plain-English look at whether MFA is genuinely on everywhere, whether your backups would survive an attack, and where the quiet gaps are before anyone else finds them.

KNP did almost everything right and still lost the lot because of one setting on one account. The encouraging flip side is that closing that gap is well within reach for any practice, and most of it can be done this month. The firms that come through a scare like this are simply the ones who checked the locks before the test came, not after.

Frequently asked questions

If ransomware encrypts our client data, do we have to report it to the ICO?

Almost certainly, yes. A ransomware attack that affects client personal data is a personal data breach, and most will meet the threshold for reporting to the ICO within 72 hours. You may also need to tell affected clients. Treat any encryption of your systems as a reportable event until your adviser confirms otherwise.

We are a small practice. Are we really a target for ransomware?

Yes. Most ransomware is not aimed at a specific firm. Attackers scan the internet for any login they can guess or brute-force, then see what they have caught. A three-person practice with client tax records is just as worth encrypting as a large company, and often has weaker defences.

What is the single most useful thing we can do this week?

Turn on multi-factor authentication for every account that touches email, your practice management software and remote access. It is usually free, takes minutes per person, and it is the one control that would have stopped the attack described here. Tested backups come a close second.

Want this checked for your own practice?

Book a free Practice IT Health Check, a plain-English, no-obligation review of where your IT stands.

Book your free Health Check

← Back to all guides

See where your practice's IT really stands

Book a free, no-obligation Practice IT Health Check, a plain-English, 15 to 20 minute review of your backups, security, compliance gaps and cloud-readiness. No jargon, no hard sell.