Sign up to save your podcasts
Or
Share Extra Credit: The Corrections, The Code, and The Safeguarding Bombshell
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Extra Credit: The Corrections, The Code, and The Safeguarding Bombshell
We were wrapping up our interview with Tammy Buchanan about the Kido nursery breach when she said: "Actually, there were some really important points I forgot to make."
So we grabbed another cup of tea, broke out the custard creams, and kept recording.
Then, during the tea break, Graham discovered something on Twitter: VX-Underground, a credible malware research collective, had posted a screenshot of what appears to be a Kido GitHub repository containing API code. Files that typically contain system credentials. A potential smoking gun.
In Part 2, Tammy reveals what was missed in Part 1, including the game-changing fact that cybersecurity is now officially linked to safeguarding in the 2025 Keeping Children Safe in Education guidance. We examine the repository screenshot and discuss what it suggests about how breaches like this happen.
This isn't theory. This appears to be a real-world example of the vulnerability that could lead to children's data being stolen. And your child's school might have the same exposure.
Recorded in the same session as Part 1. This is what happens when cybersecurity news moves faster than podcast recording sessions.
Currently ranked in the Top 100 Apple Business Podcasts (US)
This episode is sponsored by Authentrend Biomentric Hardware
Why Listen to Part 2?
If you listened to Part 1 and thought "that's bad but it won't happen to us," Part 2 will change your mind.
The game-changer: Cybersecurity is now safeguarding, not just IT. Schools can't ignore it anymore.
The smoking gun: A screenshot showing what appears to be exposed code—the exact type of vulnerability experts warn about.
The corrections: What we got wrong in Part 1, and why the reality is even more serious.
What You'll Learn
The Major Revelations
Practical Takeaways
The VX-Underground Discovery (Important Context)
What We Can Confirm
On 28 September 2025, VX-Underground (a credible malware research collective) posted a screenshot showing what appears to be a GitHub repository:
What We Cannot Independently Verify
Why It Matters
This screenshot shows the exact type of vulnerability cybersecurity experts warn about:
We present this as a plausible explanation based on professional analysis, not as a confirmed fact.
The Safeguarding Game-Changer
2025 Keeping Children Safe in Education Guidance
For the first time, statutory safeguarding guidance for UK schools explicitly mentions taking appropriate actions to meet the Cyber Security Standard.
What this means:
When it takes effect: The 2025 guidance is already in force. Schools should be implementing now.
Why schools don't know: Most haven't read the updated guidance yet. Awareness is the first problem.
Critical Corrections from Part 1
1. The MFA Misconception
What we said in Part 1: "Only 50% of schools have MFA enabled"
What Tammy clarified: That 50% is misleading because many schools have partial MFA - only for senior staff like head teachers and SENCOs.
The reality: Partial MFA = NO MFA. It's like locking your front door but leaving all the windows open. Attackers target the weakest link, not the strongest.
The phone problem: Many MFA solutions require phones for authentication, but safeguarding policies ban phones in classrooms. Schools need hardware tokens or authenticator apps on shared devices.
Where MFA works: Primarily email systems currently - but email is the gateway to everything else (password resets, system access, parent communications).
2. The Compliance Responsibility Myth
The misconception: "We pay an IT company, so they're handling DfE Digital Standards compliance for us."
The reality: DfE Standards explicitly state it's the organisation's responsibility to ask: "Are we meeting this standard? How do we meet this standard?"
What IT providers should do: Help implement technical controls
What schools must do: Verify compliance is actually happening
Who's responsible: School leadership, governors, senior management - not outsourceable
3. Training and TOIL
Correction: Staff must be given Time Off In Lieu (TOIL) for cybersecurity training. They cannot be expected to complete training unpaid outside work hours.
Why it matters: Schools operating on tight budgets must account for training time in scheduling and costs.
Resources Mentioned
Statutory Guidance and Standards
Keeping Children Safe in Education 2025
DfE Digital Standards for Schools
Free Security Resources
NCSC Cyber Assessment Framework (CAF)
NCSC Early Years Settings Guidance
GitHub Secret Scanning
Tammy's Resources
DfE Digital Standards Webinars
Guest Expert
Tammy Buchanan
Title: Senior Data Protection Consultant
Organisation: Data Protection Education
Background:
What makes Tammy credible: She's not a theoretical expert. She's been the person fixing school printers at 8am, dealing with budget constraints, navigating safeguarding policies. When she says "schools don't have the expertise," she's speaking from lived experience.
Expertise:
Contact Tammy
Email: [email protected]
LinkedIn: Tammy Buchanan (personal) / Data Protection Education (company page)
Services:
Questions Parents Should Ask Their School
Copy these questions and email them to your head teacher:
Security Basics
Custom Software and Code
Compliance and Governance
Third Party Platforms
Don't accept: "We have an IT company, they handle all this."
Do accept: Specific answers with evidence of verification.
Questions Schools Should Ask Developers
If you have any custom software, ask your developer:
Red flags:
The Bigger Picture
Why This Matters Beyond Kido
The pattern Tammy sees constantly:
One credential compromise = full breach
The Education Sector Reality
Constraints schools face:
What needs to change:
The safeguarding link is the breakthrough - schools MUST respond to safeguarding requirements.
Key Quotes
Tammy on partial MFA:
"It's like locking your front and back doors and then leaving all the downstairs windows open. I consider that to be NOT having MFA enabled."
Tammy on the safeguarding link:
"Schools can ignore IT recommendations. They can say 'no budget, we'll get to it eventually.' But you cannot ignore safeguarding. Safeguarding is non-negotiable."
Tammy on the repository:
"This is actually more common than people think, especially in education. Somebody builds something, pushes it to GitHub for version control, and doesn't think about security."
Tammy on compliance responsibility:
"Your IT provider should help you meet the standards, but the responsibility for checking remains with the school leadership. And most schools don't realise that."
Noel on the repository screenshot:
"The attack vector wasn't sophisticated hacking. It appears to be 'your code was accessible on the internet with the keys to the kingdom visible in the files.'"
What's Next?
If You're a Parent
If You're a School Leader
If You're a Governor
Social Media Sharing
Share this episode if:
Tag: #CyberSecurity #Education #Safeguarding #DataProtection #Kido #DfEDigitalStandards
Share quote: "Cyber security is now officially SAFEGUARDING in UK schools. Not optional IT. Not nice-to-have. SAFEGUARDING. This changes everything."
Connect With The Show
Website: thesmallbusinesscybersecurityguy.co.uk
Blog: Full breakdown of repository screenshot analysis
Subscribe: Available on all major podcast platforms
Review: Leave us a review and tell us what you think
Comment: What security topic should we cover next?
Currently ranked Top 100 Apple Business Podcasts (US)
Related Episodes
Part 1: The Education Data Protection Gap (listen first)
The Kido Hot Take
Episode Credits
Hosts:
Guest:
Production:
Special mention:
Legal Disclaimer
This podcast provides general information about cybersecurity topics for educational purposes. Listeners should consult a professional for their specific situation.
Regarding the repository screenshot: We present analysis based on a screenshot from a credible source (VX-Underground). The repository has been removed and we cannot independently verify its contents. Our discussion represents a professional assessment based on typical development practices, not a confirmed fact about the specific breach mechanism.
The views expressed by guests are their own and do not necessarily reflect the views of the hosts or production team.
Transcript
Full transcript available at: thesmallbusinesscybersecurityguy.co.uk/transcripts
Accessibility: Contact us for alternative formats
Next Episode
Next time: Infosec, Cybersec, and IT security - They are the same right?? Spoiler Alert: No they are not!
Coming soon: More deep dives into small business cyber security. Subscribe so you don't miss it.
Published: 13 October 2025
Duration: ~30 minutes
Format: MP3
Copyright: © 2025 The Small Business Cyber Security Guy
License: All rights reserved
Stay safe out there. Check your repositories. Enable MFA for everyone. And remember, cybersecurity is safeguarding now.
View all episodes
By The Small Business Cyber Security GuyWe were wrapping up our interview with Tammy Buchanan about the Kido nursery breach when she said: "Actually, there were some really important points I forgot to make."
So we grabbed another cup of tea, broke out the custard creams, and kept recording.
Then, during the tea break, Graham discovered something on Twitter: VX-Underground, a credible malware research collective, had posted a screenshot of what appears to be a Kido GitHub repository containing API code. Files that typically contain system credentials. A potential smoking gun.
In Part 2, Tammy reveals what was missed in Part 1, including the game-changing fact that cybersecurity is now officially linked to safeguarding in the 2025 Keeping Children Safe in Education guidance. We examine the repository screenshot and discuss what it suggests about how breaches like this happen.
This isn't theory. This appears to be a real-world example of the vulnerability that could lead to children's data being stolen. And your child's school might have the same exposure.
Recorded in the same session as Part 1. This is what happens when cybersecurity news moves faster than podcast recording sessions.
Currently ranked in the Top 100 Apple Business Podcasts (US)
This episode is sponsored by Authentrend Biomentric Hardware
Why Listen to Part 2?
If you listened to Part 1 and thought "that's bad but it won't happen to us," Part 2 will change your mind.
The game-changer: Cybersecurity is now safeguarding, not just IT. Schools can't ignore it anymore.
The smoking gun: A screenshot showing what appears to be exposed code—the exact type of vulnerability experts warn about.
The corrections: What we got wrong in Part 1, and why the reality is even more serious.
What You'll Learn
The Major Revelations
Practical Takeaways
The VX-Underground Discovery (Important Context)
What We Can Confirm
On 28 September 2025, VX-Underground (a credible malware research collective) posted a screenshot showing what appears to be a GitHub repository:
What We Cannot Independently Verify
Why It Matters
This screenshot shows the exact type of vulnerability cybersecurity experts warn about:
We present this as a plausible explanation based on professional analysis, not as a confirmed fact.
The Safeguarding Game-Changer
2025 Keeping Children Safe in Education Guidance
For the first time, statutory safeguarding guidance for UK schools explicitly mentions taking appropriate actions to meet the Cyber Security Standard.
What this means:
When it takes effect: The 2025 guidance is already in force. Schools should be implementing now.
Why schools don't know: Most haven't read the updated guidance yet. Awareness is the first problem.
Critical Corrections from Part 1
1. The MFA Misconception
What we said in Part 1: "Only 50% of schools have MFA enabled"
What Tammy clarified: That 50% is misleading because many schools have partial MFA - only for senior staff like head teachers and SENCOs.
The reality: Partial MFA = NO MFA. It's like locking your front door but leaving all the windows open. Attackers target the weakest link, not the strongest.
The phone problem: Many MFA solutions require phones for authentication, but safeguarding policies ban phones in classrooms. Schools need hardware tokens or authenticator apps on shared devices.
Where MFA works: Primarily email systems currently - but email is the gateway to everything else (password resets, system access, parent communications).
2. The Compliance Responsibility Myth
The misconception: "We pay an IT company, so they're handling DfE Digital Standards compliance for us."
The reality: DfE Standards explicitly state it's the organisation's responsibility to ask: "Are we meeting this standard? How do we meet this standard?"
What IT providers should do: Help implement technical controls
What schools must do: Verify compliance is actually happening
Who's responsible: School leadership, governors, senior management - not outsourceable
3. Training and TOIL
Correction: Staff must be given Time Off In Lieu (TOIL) for cybersecurity training. They cannot be expected to complete training unpaid outside work hours.
Why it matters: Schools operating on tight budgets must account for training time in scheduling and costs.
Resources Mentioned
Statutory Guidance and Standards
Keeping Children Safe in Education 2025
DfE Digital Standards for Schools
Free Security Resources
NCSC Cyber Assessment Framework (CAF)
NCSC Early Years Settings Guidance
GitHub Secret Scanning
Tammy's Resources
DfE Digital Standards Webinars
Guest Expert
Tammy Buchanan
Title: Senior Data Protection Consultant
Organisation: Data Protection Education
Background:
What makes Tammy credible: She's not a theoretical expert. She's been the person fixing school printers at 8am, dealing with budget constraints, navigating safeguarding policies. When she says "schools don't have the expertise," she's speaking from lived experience.
Expertise:
Contact Tammy
Email: [email protected]
LinkedIn: Tammy Buchanan (personal) / Data Protection Education (company page)
Services:
Questions Parents Should Ask Their School
Copy these questions and email them to your head teacher:
Security Basics
Custom Software and Code
Compliance and Governance
Third Party Platforms
Don't accept: "We have an IT company, they handle all this."
Do accept: Specific answers with evidence of verification.
Questions Schools Should Ask Developers
If you have any custom software, ask your developer:
Red flags:
The Bigger Picture
Why This Matters Beyond Kido
The pattern Tammy sees constantly:
One credential compromise = full breach
The Education Sector Reality
Constraints schools face:
What needs to change:
The safeguarding link is the breakthrough - schools MUST respond to safeguarding requirements.
Key Quotes
Tammy on partial MFA:
"It's like locking your front and back doors and then leaving all the downstairs windows open. I consider that to be NOT having MFA enabled."
Tammy on the safeguarding link:
"Schools can ignore IT recommendations. They can say 'no budget, we'll get to it eventually.' But you cannot ignore safeguarding. Safeguarding is non-negotiable."
Tammy on the repository:
"This is actually more common than people think, especially in education. Somebody builds something, pushes it to GitHub for version control, and doesn't think about security."
Tammy on compliance responsibility:
"Your IT provider should help you meet the standards, but the responsibility for checking remains with the school leadership. And most schools don't realise that."
Noel on the repository screenshot:
"The attack vector wasn't sophisticated hacking. It appears to be 'your code was accessible on the internet with the keys to the kingdom visible in the files.'"
What's Next?
If You're a Parent
If You're a School Leader
If You're a Governor
Social Media Sharing
Share this episode if:
Tag: #CyberSecurity #Education #Safeguarding #DataProtection #Kido #DfEDigitalStandards
Share quote: "Cyber security is now officially SAFEGUARDING in UK schools. Not optional IT. Not nice-to-have. SAFEGUARDING. This changes everything."
Connect With The Show
Website: thesmallbusinesscybersecurityguy.co.uk
Blog: Full breakdown of repository screenshot analysis
Subscribe: Available on all major podcast platforms
Review: Leave us a review and tell us what you think
Comment: What security topic should we cover next?
Currently ranked Top 100 Apple Business Podcasts (US)
Related Episodes
Part 1: The Education Data Protection Gap (listen first)
The Kido Hot Take
Episode Credits
Hosts:
Guest:
Production:
Special mention:
Legal Disclaimer
This podcast provides general information about cybersecurity topics for educational purposes. Listeners should consult a professional for their specific situation.
Regarding the repository screenshot: We present analysis based on a screenshot from a credible source (VX-Underground). The repository has been removed and we cannot independently verify its contents. Our discussion represents a professional assessment based on typical development practices, not a confirmed fact about the specific breach mechanism.
The views expressed by guests are their own and do not necessarily reflect the views of the hosts or production team.
Transcript
Full transcript available at: thesmallbusinesscybersecurityguy.co.uk/transcripts
Accessibility: Contact us for alternative formats
Next Episode
Next time: Infosec, Cybersec, and IT security - They are the same right?? Spoiler Alert: No they are not!
Coming soon: More deep dives into small business cyber security. Subscribe so you don't miss it.
Published: 13 October 2025
Duration: ~30 minutes
Format: MP3
Copyright: © 2025 The Small Business Cyber Security Guy
License: All rights reserved
Stay safe out there. Check your repositories. Enable MFA for everyone. And remember, cybersecurity is safeguarding now.