Assuming you mean *lack* of TFA/MFA, I agree 100%. A yubikey for each person accessing the data, in retrospect, probably looks cheap as dirt.

And yes, gotta wonder why students have write permissions to anything they don't actually need to write to. It gets harder if the victim is trying to protect a secret they don't want exposed, but, MFA would have avoided the issue even if everyone had write.