October 07, 2025

Detention: The Day 8,000 Children's Data Went Missing

41 minutes

Episode Description

Following the Kido nursery breach where 8,000 children's photos were stolen and posted online, we sit down with education sector expert Tammy Buchanan. With 15 years working in UK schools and now consulting on data protection compliance, Tammy reveals the shocking reality of cybersecurity in British education. From nurseries using platforms like Famly and Tapestry to primary schools struggling with basic MFA implementation, this conversation exposes systematic failures that put every child's data at risk. If you're a parent, school governor, or education professional, this episode will change how you think about school security.

Currently ranked in the Top 100 Apple Business Podcasts (US)

What You'll Learn

Why only 50% of schools have multi-factor authentication enabled

The difference between early years providers and mainstream schools

How photo-rich platforms create unique vulnerabilities for nurseries

Why DFE digital standards remain unknown to most schools

The governance problem: volunteers without power

Who actually gets things done when head teachers won't prioritise security

Why schools keep breaches quiet and what that means for parents

Practical steps parents can demand from their child's school today

The Cyber Essentials challenge for small schools with limited budgets

How COVID pushed schools years ahead without proper security foundations

Guest Contact Details

Tammy Buchanan

Senior Data Protection Consultant

Data Protection Education

Email: [email protected]

LinkedIn: Search for Tammy Buchanan or visit the Data Protection Education company page

Website: Data Protection Education

Tammy and her team (including a solicitor) work with schools across the UK on data protection compliance, information security, and cyber resilience. They provide free resources and news updates for schools on their LinkedIn page.

Resources Mentioned

Government and Regulatory:

DFE Digital Standards (Department for Education)

NCSC (National Cyber Security Centre) staff training resources

ICO (Information Commissioner's Office) breach log and guidance

Ofsted inspection framework

Safeguarding regulations

Platforms Discussed:

Famly (early years learning journey platform)

Tapestry (early years learning journey platform)

Arbor (school management information system)

Bromcom (school management information system)

Security Standards:

Cyber Essentials certification

Multi-factor authentication (MFA) implementation

Incident response planning

Additional Resources:

The Small Business Cyber Security Guy blog: thesmallbusinesscybersecurityguy.co.uk

Data Protection Education news page (free resources for schools)

Key Statistics from This Episode

50% or less of schools have MFA enabled

8,000 children's photos stolen in the Kido breach

12 years Tammy worked directly in schools before consulting

15 years Tammy has been in the education sector overall

2030 target date for schools to meet six DFE digital standards

Questions Parents Should Ask Their School

Do you have multi-factor authentication enabled on all systems?

How often do staff receive cybersecurity training?

Where is your incident response plan and when was it last tested?

Who on the governing body is responsible for data protection and cyber resilience?

Are you working towards the DFE digital standards?

Which third-party platforms hold my child's data and photos?

How do you monitor and configure security settings on these platforms?

Key Takeaways

For Parents:

Schools are having breaches regularly but keeping them quiet

Most schools lack basic security like MFA

Your child's photos on learning journey apps create unique risks

You have the right to ask questions about data protection

Schools respond to parental pressure

For School Leaders:

Documentation matters for ICO compliance

Training needs updating regularly, not the same video for three years

Incident response plans are useless if nobody knows where they are

School business managers need authority, not just responsibility

Other schools' examples work better than external expert advice

For Governors:

Cybersecurity needs to be statutory to get real traction

Digital lead on governing body remains unfilled at many schools

You need both knowledge and authority to make change happen

Physical security analogies help boards understand cyber risks

The Big Picture

This episode exposes a systematic failure in UK education cybersecurity. Schools operate under considerable constraints, including volunteer governance, stretched budgets, and part-time IT support. Meanwhile, they hold treasure troves of children's data on platforms configured by people who lack security expertise. The Kido breach reveals what happens when one password unlocks 8,000 children's intimate moments. Most schools are one credential compromise away from the same fate. Until cybersecurity becomes statutory or linked to Ofsted inspections, progress will remain painfully slow.

Connect With The Show

Website: thesmallbusinesscybersecurityguy.co.uk

Subscribe: Available on all major podcast platforms

Social Media: Find us on LinkedIn

Help us grow: Leave a review, subscribe, and share this episode with parents, teachers, and school governors who need to hear this message.

...more

View all episodes

By The Small Business Cyber Security Guy

October 07, 2025

Detention: The Day 8,000 Children's Data Went Missing

41 minutes

Episode Description

Currently ranked in the Top 100 Apple Business Podcasts (US)

What You'll Learn

Why only 50% of schools have multi-factor authentication enabled

The difference between early years providers and mainstream schools

How photo-rich platforms create unique vulnerabilities for nurseries

Why DFE digital standards remain unknown to most schools

The governance problem: volunteers without power

Who actually gets things done when head teachers won't prioritise security

Why schools keep breaches quiet and what that means for parents

Practical steps parents can demand from their child's school today

The Cyber Essentials challenge for small schools with limited budgets

How COVID pushed schools years ahead without proper security foundations

Guest Contact Details

Tammy Buchanan

Senior Data Protection Consultant

Data Protection Education

Email: [email protected]

LinkedIn: Search for Tammy Buchanan or visit the Data Protection Education company page

Website: Data Protection Education

Resources Mentioned

Government and Regulatory:

DFE Digital Standards (Department for Education)

NCSC (National Cyber Security Centre) staff training resources

ICO (Information Commissioner's Office) breach log and guidance

Ofsted inspection framework

Safeguarding regulations

Platforms Discussed:

Famly (early years learning journey platform)

Tapestry (early years learning journey platform)

Arbor (school management information system)

Bromcom (school management information system)

Security Standards:

Cyber Essentials certification

Multi-factor authentication (MFA) implementation

Incident response planning

Additional Resources:

The Small Business Cyber Security Guy blog: thesmallbusinesscybersecurityguy.co.uk

Data Protection Education news page (free resources for schools)

Key Statistics from This Episode

50% or less of schools have MFA enabled

8,000 children's photos stolen in the Kido breach

12 years Tammy worked directly in schools before consulting

15 years Tammy has been in the education sector overall

2030 target date for schools to meet six DFE digital standards

Questions Parents Should Ask Their School

Do you have multi-factor authentication enabled on all systems?

How often do staff receive cybersecurity training?

Where is your incident response plan and when was it last tested?

Who on the governing body is responsible for data protection and cyber resilience?

Are you working towards the DFE digital standards?

Which third-party platforms hold my child's data and photos?

How do you monitor and configure security settings on these platforms?

Key Takeaways

For Parents:

Schools are having breaches regularly but keeping them quiet

Most schools lack basic security like MFA

Your child's photos on learning journey apps create unique risks

You have the right to ask questions about data protection

Schools respond to parental pressure

For School Leaders:

Documentation matters for ICO compliance

Training needs updating regularly, not the same video for three years

Incident response plans are useless if nobody knows where they are

School business managers need authority, not just responsibility

Other schools' examples work better than external expert advice

For Governors:

Cybersecurity needs to be statutory to get real traction

Digital lead on governing body remains unfilled at many schools

You need both knowledge and authority to make change happen

Physical security analogies help boards understand cyber risks

The Big Picture

Connect With The Show

Website: thesmallbusinesscybersecurityguy.co.uk

Subscribe: Available on all major podcast platforms

Social Media: Find us on LinkedIn

Help us grow: Leave a review, subscribe, and share this episode with parents, teachers, and school governors who need to hear this message.

...more

Share Detention: The Day 8,000 Children's Data Went Missing

Sign up to save your podcasts

Detention: The Day 8,000 Children's Data Went Missing

Detention: The Day 8,000 Children's Data Went Missing