The Two-Minute Fix That Could Save Your Martial Arts Club from a $50 Million Fine

Graham Slater • June 29, 2026

The Simplest Thing Most Club Owners Have Not Done

Multi-factor authentication. MFA. Two-step verification. Whatever you call it, you almost certainly use it in your personal life without thinking about it. When your bank sends a text message to your phone before letting you log in online, that is MFA. When your email platform asks you to approve a login on a secondary device, that is MFA. It has been part of everyday digital life for years.

And yet, when it comes to their business systems — the CRM that holds 500 members' health records, the email account that contains years of sensitive member correspondence, the booking platform that processes hundreds of direct debits — the majority of gym and martial arts club owners either have not enabled MFA or do not know whether it is on.

This single oversight is one of the most common reasons cyber insurers decline or reduce claims after a breach. It is also one of the factors the OAIC examines when determining whether a business took "reasonable steps" to protect member data — a determination that can be the difference between a manageable compliance outcome and a $50 million Federal Court penalty.

What MFA Is and How It Works

Multi-factor authentication adds a second layer of verification to the login process. Rather than just asking for a username and password, it also asks for something else: usually a code sent to your phone, a fingerprint scan, or an approval from an authenticator app.

The three categories of authentication factors are: something you know (your password), something you have (your phone or a physical security key), and something you are (a fingerprint or face scan). MFA requires at least two of these categories to be satisfied before granting access.

The reason this is so powerful against hackers is simple: stealing a password is relatively easy. Phishing emails, password reuse across multiple accounts, or simple brute-force attacks can crack a password in seconds. But stealing your physical phone — the "something you have" component — at the same time as your password is dramatically more difficult. MFA breaks the most common attack vector available to cybercriminals.

Why the Law Now Cares Whether You Have MFA Enabled

Under the Privacy Act, the standard by which your data handling is judged is whether you took "reasonable steps" to protect the personal information you hold. What counts as reasonable is not precisely defined in the legislation — it is assessed contextually, taking into account the nature and sensitivity of the data, the size and resources of the business, and the current state of available security technology.

In 2026, enabling MFA on your business systems is almost certainly a "reasonable step." It is free or extremely low-cost, it is built into virtually every major software platform, and it demonstrably reduces the risk of unauthorised access. Cyber security guidance from the Australian Cyber Security Centre (ACSC), the OAIC, and most major insurers all identify MFA as a baseline security requirement.

If a breach occurs and the investigation reveals that MFA was not enabled, the absence of this basic control will be treated as evidence of negligence. That finding elevates the breach from an unfortunate incident to a serious or reckless failure — and with it, the potential penalties escalate significantly.

Where to Enable MFA in Your Fitness Business

MFA should be enabled on every system that holds or provides access to member data. For a typical gym or martial arts club, this means:

•Your gym management or CRM software (Mindbody, Glofox, ClubManager, Zen Planner — all support MFA in their settings).

•Your business email accounts, including Gmail and Microsoft 365 (Outlook). These are frequently the entry point for phishing-based attacks.

•Your website content management system, especially if it has a member login area.

•Your accounting or payroll software.

•Your business social media accounts (Facebook, Instagram) — hackers use compromised accounts to run fraudulent ads or extract payment credentials.

•Any cloud storage or file-sharing systems where member data or business documents are stored.

A Note on SMS vs Authenticator Apps

Not all MFA is equal. The most basic form uses text messages: when you try to log in, a six-digit code is sent to your phone. This is far better than no MFA, but it has a known vulnerability called SIM swapping, where a sophisticated attacker convinces your phone carrier to transfer your number to a device they control.

The more secure option is an authenticator app, such as Google Authenticator or Microsoft Authenticator. These generate a time-sensitive code within the app itself, which means the code is never transmitted over the phone network and cannot be intercepted through SIM swapping. Cyber insurers and the ACSC both recommend authenticator apps over SMS-based verification wherever possible.

For most small fitness businesses, enabling any form of MFA immediately is the priority. Perfect should not be the enemy of good — start with SMS-based MFA today and transition to an authenticator app at your next opportunity.

The Insurer's Perspective

An important but under-discussed dimension of MFA is its effect on your cyber insurance policy. Most cyber insurers now ask during the application process whether MFA is enabled on key systems. If you say yes, it typically reduces your premium — because the insurer correctly assesses that your risk of a successful attack is lower.

More critically: some insurers include a warranty clause in their policies that makes MFA a condition of coverage. If a breach occurs and the investigation reveals that MFA was not enabled at the time, the insurer may decline the claim entirely on the basis that the warranty was breached. This is not a hypothetical risk — it is increasingly common practice across the cyber insurance market.

At MAA Insurance Services, we make sure our clients understand exactly what their policy requires so there are no unpleasant surprises at claim time.

The Five-Minute Action Plan

You can begin the process of enabling MFA across your business right now. Here is where to start:

•Log into your gym management software, go to Settings, and search for 'two-step verification' or 'multi-factor authentication.' Turn it on.

•Do the same for your business email platform (Google Workspace or Microsoft 365 both have simple toggle switches in the security settings).

•Download Google Authenticator or Microsoft Authenticator from the App Store or Google Play — it is free.

•Set a calendar reminder for this week to walk through every system your staff uses and confirm MFA is activated.

•Contact MAA Insurance Services to review your cyber cover and confirm your policy is consistent with your current security setup.

Small Action, Large Protection

MFA is not a cure for all cyber risk. It should sit alongside a compliant privacy policy, staff training, data minimisation practices, and standalone cyber insurance as part of a layered defence. But it is the single easiest and cheapest thing your business can do today to meaningfully reduce its exposure.

Do not let the absence of a two-minute security setting be the reason a $50 million penalty finds its way to your door.

By Graham Slater July 2, 2026
The Operational Foundation That Makes Your Insurance Work
The OAIC can fine your martial arts club $66,000 without a hack ever occurring. Learn how 2026 enfor
By Graham Slater July 1, 2026
The OAIC can fine your martial arts club $66,000 without a hack ever occurring. Learn how 2026 enforcement works and how to protect your business.
Most Australian gyms and martial arts clubs are classified as health service providers under the Pri
By Graham Slater June 29, 2026
Most Australian gyms and martial arts clubs are classified as health service providers under the Privacy Act. Understand what this means for your data obligations and insurance needs.