After Kidi: A New Era for Nursery School Cyber Security

How well are nursery school leaders and boards protecting children’s sensitive data in the face of escalating cyber threats, and is the status quo truly enough? The answers to these questions are, unfortunately, not yet and no.

A genuinely effective defense against cyber criminals demands a governance-led strategy. That means universal multi-factor authentication, zero trust controls, comprehensive data mapping, sector-specific cyber insurance, and rigorous incident response rehearsals. 

However, with more than 40% of UK education providers now reporting cyber incidents annually, too many nurseries still fall short of these standards, increasing risks to both business continuity and community trust.

When the Kidi nursery chain was hit by a major cyberattack in September 2025, leaders throughout the early-years education sector watched on in horror. 

Sensitive, identifiable details of more than 8,000 children and staff were posted online for the world – and potential abusers – to see. In the aftermath of the attack hackers leaked photos and addresses and threatened parents with extortion.

Until then, nurseries had seen themselves as too small or “community-based” to be major targets. This is clearly no longer the case. 

Cyberattacks on education

Cyberattacks on education have surged year-on-year. Nurseries not only hold addresses and contact details but sometimes medical notes, safeguarding files, and passport scans of very young and vulnerable children. This makes every breach both a GDPR issue and a genuine safeguarding event.

In Kidi’s case, hackers used real children’s details to extort parents, posting screenshots and profile data on the dark web. This rapidly became a media and regulatory firestorm: every nursery was suddenly a potential next victim, and every parent began to ask, “what are you doing to keep my child safe?”

Why are nursery schools so vulnerable?

Part of the risk can be attributed to the fact that nurseries operate on thin margins, with limited in-house technical skills. They gather information digitally but lack the resources to consolidate or professionally manage it. 

National surveys show that only just over half of early years providers have a named cyber-security lead, and even fewer have had their contracts, data maps, or platforms externally audited in the past year.

Staff regularly work off-site to update records or communicate with parents, multiplying the attack surface. A blend of cloud-based management platforms with local spreadsheets and paper files makes data theft, unauthorized access, and accidental leakage all too probable. 

Key reasons for sector exposure include:

• Large volumes of sensitive child/family data
• Inconsistent policies on storage and device use
• Limited training budgets
• Multi-site operations with weak technical oversight
• Pressure to restore normal service quickly – often before a true forensic assessment is complete

Knowing Your Data Landscape

Leadership and clarity is needed before technical fixes can be made. Every manager or board must be able to answer the following questions:

• Where is our data
• Who touches it
• When? 

The shift to cloud-based services can be seen as a positive development as long as the data is stored in the UK or EU and compliance guarantees are in force. 

Old tech, new risks

Relying on a patchwork of local PCs, USB sticks, and unsecured cloud accounts for “operational convenience” is no longer acceptable in the face of these new threats which escalate dramatically when:

• Legacy devices store unencrypted information
• Staff share logins, or fail to log out/lock systems
• Data is accessed on personal or unpatched devices

Modern Security Practices

We advocate a zero-trust model where no device or user is trusted by default. Every session must be checked, and users must only be able to see what is essential for their role. If a login is detected from an unexpected country or device, alerts, and even automatic lockouts, should be immediately issued. 

Mapping every data flow and storage point is the foundation for creating strong, GDPR-compliant policies and implementing Data Loss Prevention (DLP) protocols will spot mass file movements or suspicious downloads before it’s too late

Cyber security cannot be seen as one big fix – it has to be a living process that adapts to evolving threats. 

Evidence shows that using multi-factor authentication (MFA) for all users and not just admins prevents the majority of brute-force attacks. In practice, enabling MFA across cloud systems blocks over 99% of unauthorized logins according to both Microsoft and the UK’s NCSC. 

Conversely, attacks can happen when basics get ignored. Incomplete rollouts, shared accounts, and the non-enforcement of conditional access create fertile ground for bad actors.

Limiting who uses a system, when, and from which devices should be standard and only a limited number of verified and vetted staff should have out-of-hours access to sensitive records.

Many nurseries that survived cyber incidents or simply avoided them have a common thread:

• Annual, independent audits – and rapid response to all findings
• Cyber insurance tailored to childcare settings, and their particular safeguarding responsibilities, should be deployed rather than generic business coverage
• Regular crisis response exercises, ensuring every staff member knows how to spot a phishing attempt or respond to a suspected breach
• Transparent communication, both internally and with parents will make data safety part of the setting’s visible culture

The human element: training and culture

Phishing and messaging scams remain the number one source of data breaches in childcare and education. Studies from the NCSC and UK government show over 80% of successful attacks in this sector relied on staff mistakes or lack of awareness.

Ongoing cyber education is as vital as technology. Nurseries must run simulated phishing campaigns (and share the outcomes in staff meetings), keep parents in the loop about recent threats and what’s being done to counter them, and make it simple and “safe” for staff to report suspicious messages or accidental clicks.

Legal, contracts, and the regulator

Even the best technical setup is incomplete without up-to-date contracts and compliance measures. Under GDPR, all data processors and controllers must be able to demonstrate best practice and continuous monitoring. Article 28 specifically covers childcare suppliers – requiring written breach notification procedures and third-party audit rights.

Ask yourself:

• Are all your software and IT providers GDPR compliant?
• Have you formalized what happens (and who’s responsible) in the event of a breach?
• Do you have cyber insurance? Is it tailored for the volume and sensitivity of data you hold?

What if the worst happens? You need a recovery plan

If you are breached:

• Notify the ICO and the police within 72 hours as required by law
• Engage any cyber insurance providers and forensic IT partners immediately to limit damage
• Retain every communication and incident log; regulators and parents will ask for evidence
• Communicate early and honestly with parents; explain what was accessed, what it means, and what’s changing going forward
• Plug any technical, procedural, or contractual holes fast – and review staff access and permissions

After the breach:

• Share post-breach audits and recovery investments with parents
• Build data protection into your public brand
• Empower staff and families to report concerns and ask questions year-round

The real value of prevention

Setting aside the very real risks of massive fines by the regulator and legal action from parents, a full-fledged breach can mean weeks – or months – of lost business, during which time families will have moved on with their precious children. Insurance premiums can rocket after even a single claim.

In comparison, the costs of properly-scoped technology solutions, regular audits, up-to-date insurance, and staff training are modest. 

Prevention is not just less expensive – it’s the only rational choice for a sector that trades on trust and word of mouth.

The 2025 Kidi hack was a reset moment: a reminder that cyber risk is a board-level problem and child protection now has to include digital defense. Those nurseries – and boards – that step up today will protect not only their own sustainability, but the trust of every parent and child they serve.

FAQ: Five Essential Safeguarding Answers

1. How do I know if my nursery tech is secure enough?
Strong digital safety means annual third-party audits, real-time data loss monitoring, and penetration tests. Parents, the ICO, and Ofsted increasingly expect clear evidence.

2. How soon should I enable MFA and conditional access?
Without delay – these two controls block over 90% of account hacks, as confirmed in multiple UK and international studies.

3. Is cloud hosting safer than local servers for nursery data?
In almost all cases – as long as the provider is reputable and data is stored in the UK/EU, and you keep ironclad audit and access controls. Beware of vendors without clear certifications or breach protocols.

4. What should I do about legacy systems and paper records?
Review and migrate data whenever feasible, patch or segment legacy systems, and take appropriate measures on anything high-risk or unavoidable.

5. How can I reassure parents after a data breach?
Be direct, transparent, and factual. Share recovery steps, remediation investments, and make it clear how things will be safer in future – trust depends on visible, ongoing improvements.

---

The time to protect your young learners and your reputation is now. Contact me on  +44 203 034 2244 or online to start your cyber security journey to a more cyber secure future.