Showcase Magazine Winter 2026 - Flipbook - Page 23
CYBER SECURITY
Nurseries Urged to Review Online
Journal Security After Kido Cyber Attack
Recent reports of a cyber attack affecting the Kido nursery chain have raised fresh concerns about the security of online systems
that store sensitive child data. According to news outlets, attackers gained access to children’s personal information, including
names, addresses, and photographs - a scenario that has become all too familiar in the education sector.
While investigations are ongoing, experts suggest that breaches like this are usually caused by stolen credentials, misconfigured
systems, or compromised third-party accounts. This serves as a timely reminder for all early years settings to review the security of
their online journal software, such as Tapestry.
How Attacks Happen
The most common entry points for attackers include:
Stolen credentials or phishing: Staff inadvertently give away passwords or reuse credentials from other breaches.
Lack of multi-factor authentication (MFA): Single passwords are easy to exploit if stolen.
Misconfigured cloud storage or APIs: Open storage or poorly configured access can expose data.
Third-party/vendor compromise: Attackers gain access through a supplier or software provider.
Insider access or unpatched vulnerabilities: Weak access controls or outdated systems can be exploited.
Common Protections
Common online platforms such as Tapestry implement several safeguards:
Encrypted connections and encrypted storage in EU cloud infrastructure.
Access controls and per-setting isolation so nurseries control who sees which records.
Regular offsite backups with defined retention policies.
Staff vetting, including DBS checks for employees handling customer data.
Positioning settings (nurseries) as data controllers, with responsibility for authorising access.
However, some important gaps may remain: MFA has not been historically available to end users, and many protections depend
on user behaviour, such as using strong passwords and avoiding phishing. Third-party and cloud risks also remain, as
misconfigurations or compromised support accounts can expose data.
Practical Steps for Settings
Nurseries can take several immediate actions to reduce the risk of a Kido-style breach:
Enable MFA for all staff and parents. Confirm with your own provider if it is available for your account.
Enforce strong, unique passwords and use a password manager. Disable password reuse.
Minimise data collected: Only upload what is necessary to journals.
Review admin accounts and permissions regularly; give the minimum access needed.
Request independent security audits (ISO 27001, SOC2, or penetration tests).
Prepare an incident response plan and know your ICO reporting contact.
Secure devices used to access online journal software: enforce passcodes, automatic updates, and avoid shared logins.
Check backups and retention rules to ensure data can be safely deleted or restored if needed.
Immediate Actions if Concerned
If your setting is worried about potential exposure:
Run an access audit on your journal software to see who has accessed records and from which IPs.
Reset all admin passwords and force a temporary logout of all sessions.
Follow your data breach procedure and notify the ICO if personal data may have been compromised.
|
Showcase Training 23
