The Small Business Cyber Security Guy | Cybersecurity for SMB & Startups

We were wrapping up our interview with Tammy Buchanan about the Kido nursery breach when she said: "Actually, there were some really important points I forgot to make."

So we grabbed another cup of tea, broke out the custard creams, and kept recording.

Then, during the tea break, Graham discovered something on Twitter: VX-Underground, a credible malware research collective, had posted a screenshot of what appears to be a Kido GitHub repository containing API code. Files that typically contain system credentials. A potential smoking gun.

In Part 2, Tammy reveals what was missed in Part 1, including the game-changing fact that cybersecurity is now officially linked to safeguarding in the 2025 Keeping Children Safe in Education guidance. We examine the repository screenshot and discuss what it suggests about how breaches like this happen.

This isn't theory. This appears to be a real-world example of the vulnerability that could lead to children's data being stolen. And your child's school might have the same exposure.

Recorded in the same session as Part 1. This is what happens when cybersecurity news moves faster than podcast recording sessions.

Currently ranked in the Top 100 Apple Business Podcasts (US)

This episode is sponsored by Authentrend Biomentric Hardware 

---

Why Listen to Part 2?

If you listened to Part 1 and thought "that's bad but it won't happen to us," Part 2 will change your mind.

The game-changer: Cybersecurity is now safeguarding, not just IT. Schools can't ignore it anymore.

The smoking gun: A screenshot showing what appears to be exposed code—the exact type of vulnerability experts warn about.

The corrections: What we got wrong in Part 1, and why the reality is even more serious.

---

What You'll Learn

The Major Revelations

1. Cyber Security = Safeguarding (2025 Guidance)
   • First time explicitly linked in statutory guidance
   • Changes everything about how schools must respond
   • Makes Kido a safeguarding failure, not just IT breach
   • Gives cyber the legal teeth it's never had
2. The Repository Screenshot
   • VX-Underground documented what appears to be Kido's code
   • Files that typically contain credentials visible
   • Repository has since been removed
   • Suggests how breach may have occurred
3. Partial MFA = No MFA
   • Schools enable MFA for head teachers but not everyone
   • Like "locking doors but leaving windows open"
   • Must be ALL staff with system access or it's useless
4. The Third Party Illusion
   • Schools think IT providers handle compliance
   • DfE Standards explicitly say schools must verify
   • Cannot outsource responsibility

Practical Takeaways

• Why phone-based MFA conflicts with safeguarding policies (and what to do)
• The NCSC Cyber Assessment Framework for schools
• Questions to ask developers about code repositories
• How to audit custom software
• What "Time Off In Lieu" means for training

---

 

The VX-Underground Discovery (Important Context)

What We Can Confirm

On 28 September 2025, VX-Underground (a credible malware research collective) posted a screenshot showing what appears to be a GitHub repository:

• Repository name: kido-fullstack/mykido-api
• Files visible: Including mail.py (typically contains email credentials in Python apps)
• Repository stats: 2 contributors, 0 issues, 0 stars, 0 forks
• Current status: Repository has been removed
• VX-Underground's assessment: Called it "f**king slop piece of s**t"
• See: https://www.instagram.com/reel/DPUjd9mj2tG/

What We Cannot Independently Verify

• The actual contents of the files (repository is down)
• Whether repository was public or had limited visibility
• That this definitively caused the breach
• What specific credentials may have been present

Why It Matters

This screenshot shows the exact type of vulnerability cybersecurity experts warn about:

• Custom code pushed to repositories without proper security review
• Files that typically contain credentials visible in structure
• Pattern common in education sector (confirmed by Tammy)
• Explains how Famly data could be accessed without Famly infrastructure breach

We present this as a plausible explanation based on professional analysis, not as a confirmed fact.

---

The Safeguarding Game-Changer

2025 Keeping Children Safe in Education Guidance

For the first time, statutory safeguarding guidance for UK schools explicitly mentions taking appropriate actions to meet the Cyber Security Standard.

What this means:

• Cybersecurity is no longer optional IT work
• It's a safeguarding responsibility with Ofsted implications
• Schools respond to safeguarding requirements (unlike IT recommendations)
• Governors have safeguarding oversight duties that now include cyber
• The Kido breach is officially a safeguarding failure

When it takes effect: The 2025 guidance is already in force. Schools should be implementing now.

Why schools don't know: Most haven't read the updated guidance yet. Awareness is the first problem.

---

Critical Corrections from Part 1

1. The MFA Misconception

What we said in Part 1: "Only 50% of schools have MFA enabled"

What Tammy clarified: That 50% is misleading because many schools have partial MFA - only for senior staff like head teachers and SENCOs.

The reality: Partial MFA = NO MFA. It's like locking your front door but leaving all the windows open. Attackers target the weakest link, not the strongest.

The phone problem: Many MFA solutions require phones for authentication, but safeguarding policies ban phones in classrooms. Schools need hardware tokens or authenticator apps on shared devices.

Where MFA works: Primarily email systems currently - but email is the gateway to everything else (password resets, system access, parent communications).

2. The Compliance Responsibility Myth

The misconception: "We pay an IT company, so they're handling DfE Digital Standards compliance for us."

The reality: DfE Standards explicitly state it's the organisation's responsibility to ask: "Are we meeting this standard? How do we meet this standard?"

What IT providers should do: Help implement technical controls

What schools must do: Verify compliance is actually happening

Who's responsible: School leadership, governors, senior management - not outsourceable

3. Training and TOIL

Correction: Staff must be given Time Off In Lieu (TOIL) for cybersecurity training. They cannot be expected to complete training unpaid outside work hours.

Why it matters: Schools operating on tight budgets must account for training time in scheduling and costs.

---

Resources Mentioned

Statutory Guidance and Standards

Keeping Children Safe in Education 2025

• Statutory safeguarding guidance for schools
• First explicit link between cybersecurity and safeguarding
• Available: UK Government website / DfE publications
• ACTION: Read Section on Cyber Security Standard

DfE Digital Standards for Schools

• Sets out cyber security requirements
• Six standards schools should meet by 2030
• Schools must actively verify compliance
• ACTION: Ask your school "Are we meeting these?"

Free Security Resources

NCSC Cyber Assessment Framework (CAF)

• Designed specifically for small businesses and schools
• Written in accessible language (not technical jargon)
• Covers: access control, incident management, supply chain security
• Free to use
• LINK: ncsc.gov.uk

NCSC Early Years Settings Guidance

• Bespoke guidance for nurseries
• Practical steps for settings without IT expertise
• LINK: ncsc.gov.uk

GitHub Secret Scanning

• Free for public repositories
• Detects exposed credentials in code
• Schools should use if they have repositories
• ACTION: Enable on all repositories

Tammy's Resources

DfE Digital Standards Webinars

• Regular sessions explaining standards in simple terms
• How to track progress and implementation
• Contact Tammy for upcoming dates

---

Guest Expert

Tammy Buchanan

Title: Senior Data Protection Consultant
Organisation: Data Protection Education
Background:

• 15 years in UK education sector
• 12 years working directly in schools (8 years technician, 4 years IT manager)
• "Recovering Dave from IT"

What makes Tammy credible: She's not a theoretical expert. She's been the person fixing school printers at 8am, dealing with budget constraints, navigating safeguarding policies. When she says "schools don't have the expertise," she's speaking from lived experience.

Expertise:

• Data protection compliance in education
• Information security for schools and MATs
• DfE Digital Standards implementation
• GDPR for the education sector
• Cyber resilience on school budgets

Contact Tammy

Email: info@dataprotection.education
LinkedIn: Tammy Buchanan (personal) / Data Protection Education (company page)
Services:

• Compliance assessments
• DfE Digital Standards webinars
• Data protection consultancy for schools and MATs
• Incident response support

 

Questions Parents Should Ask Their School

Copy these questions and email them to your head teacher:

Security Basics

1. Do you have multi-factor authentication (MFA) enabled for ALL staff with system access (not just senior leadership)?
2. How often do staff receive cybersecurity training, and is Time Off In Lieu provided for this training?
3. Where is your incident response plan, and when was it last tested?

Custom Software and Code

4. Do we have any custom-built software, integrations, or scripts?
5. If yes: Where is the source code stored? (GitHub, GitLab, etc.)
6. Who has access to our code repositories?
7. Have repositories been scanned for exposed credentials?
8. Do former developers or contractors still have access to our systems?

Compliance and Governance

9. Are we meeting the DfE Digital Standards, and how is this verified?
10. Who on the governing body is responsible for data protection and cyber resilience?
11. How are you addressing cybersecurity as part of your safeguarding responsibilities under the 2025 Keeping Children Safe in Education guidance?

Third Party Platforms

12. Which platforms hold our children's data? (Famly, Tapestry, Arbor, etc.)
13. How do you verify these platforms are securely configured?
14. Does our IT provider handle compliance verification, or do you verify it yourselves?

Don't accept: "We have an IT company, they handle all this."
Do accept: Specific answers with evidence of verification.

---

Questions Schools Should Ask Developers

If you have any custom software, ask your developer:

1. Where is the source code stored?
2. Is the repository public or private?
3. Who currently has access to the repository?
4. Are there any credentials, API keys, or connection strings in the code?
5. How are secrets managed? (Environment variables, secret management tools?)
6. When was the code last security reviewed?
7. Has the repository been scanned for exposed secrets?
8. What happens if you're not available? Who else can access/maintain this?

Red flags:

• "What do you mean by credentials in the code?"
• "It's a private repo, it's fine."
• "I'll get round to moving those credentials out eventually."
• Cannot answer who else has access

---

The Bigger Picture

Why This Matters Beyond Kido

The pattern Tammy sees constantly:

1. School needs custom integration between systems
2. Hire developer (staff, parent volunteer, local contractor)
3. Developer builds something functional
4. Developer has zero security training
5. Code pushed to GitHub/GitLab for convenience
6. No security review, no secrets management
7. Repository sits there for months/years
8. Former contractors still have access
9. No documentation of what exists or where
10. School doesn't know to check

One credential compromise = full breach

The Education Sector Reality

Constraints schools face:

• No dedicated IT staff (part-time technician comes twice a week)
• No cybersecurity budget
• Volunteer governors with no technical expertise
• Staff expected to train in unpaid time
• Third-party providers without clear responsibility
• Safeguarding policies that conflict with security best practice
• An overwhelming number of platforms and systems
• Turnover of staff and contractors

What needs to change:

• Make cyber security statutory with Ofsted oversight
• Provide funding for proper implementation
• Link explicitly to safeguarding (now happening!)
• Require IT providers to verify compliance
• Train governors on cybersecurity oversight
• Make DfE Digital Standards non-negotiable

The safeguarding link is the breakthrough - schools MUST respond to safeguarding requirements.

---

Key Quotes

Tammy on partial MFA:

"It's like locking your front and back doors and then leaving all the downstairs windows open. I consider that to be NOT having MFA enabled."

Tammy on the safeguarding link:

"Schools can ignore IT recommendations. They can say 'no budget, we'll get to it eventually.' But you cannot ignore safeguarding. Safeguarding is non-negotiable."

Tammy on the repository:

"This is actually more common than people think, especially in education. Somebody builds something, pushes it to GitHub for version control, and doesn't think about security."

Tammy on compliance responsibility:

"Your IT provider should help you meet the standards, but the responsibility for checking remains with the school leadership. And most schools don't realise that."

Noel on the repository screenshot:

"The attack vector wasn't sophisticated hacking. It appears to be 'your code was accessible on the internet with the keys to the kingdom visible in the files.'"

---

What's Next?

If You're a Parent

1. Email your school the questions above
2. Don't accept vague reassurances
3. Ask for specific evidence that they're meeting DfE Digital Standards
4. Remember: you're asking about safeguarding, not just IT

If You're a School Leader

1. Read the 2025 Keeping Children Safe in Education guidance
2. Audit all custom software and code repositories
3. Enable MFA for ALL staff (find solutions for phone conflict)
4. Document what you have and who has access
5. Verify DfE Digital Standards compliance yourself
6. Contact Tammy or similar experts for gap analysis

If You're a Governor

1. Add cyber security to safeguarding oversight
2. Ask the head teacher the same questions parents should ask
3. Don't accept "our IT company handles it"
4. Consider appointing a digital lead on the governing body
5. Ensure cyber security is a standing agenda item

---

Social Media Sharing

Share this episode if:

• You're a parent with kids in nursery or school
• You're a school governor or school leader
• You work in education
• You're concerned about children's data protection
• You want schools to take cyber security seriously

Tag: #CyberSecurity #Education #Safeguarding #DataProtection #Kido #DfEDigitalStandards

Share quote: "Cyber security is now officially SAFEGUARDING in UK schools. Not optional IT. Not nice-to-have. SAFEGUARDING. This changes everything."

---

Connect With The Show

Website: thesmallbusinesscybersecurityguy.co.uk
Blog: Full breakdown of repository screenshot analysis
Subscribe: Available on all major podcast platforms
Review: Leave us a review and tell us what you think
Comment: What security topic should we cover next?

Currently ranked Top 100 Apple Business Podcasts (US)

---

Related Episodes

Part 1: The Education Data Protection Gap (listen first)

• Main interview with Tammy Buchanan
• Overview of Kido breach
• Systematic failures in education security
• 35-40 minutes

The Kido Hot Take 

• Initial reaction to breach announcement
• Why nurseries are targets
• Immediate implications

---

Episode Credits

Hosts:

• Noel Bradford (The Veteran Solution Provider)
• Mauven MacLeod (The Government-Trained Practitioner)
• Graham Falkner (Producer/Researcher)

Guest:

• Tammy Buchanan (Data Protection Education)

Production:

• Same session recording as Part 1
• Tea break transition edited
• Cold open recorded post-session
• Natural conversation maintained

Special mention:

• Custard creams (the real MVPs)
• VX-Underground (for documenting the repository before it vanished)

---

Legal Disclaimer

This podcast provides general information about cybersecurity topics for educational purposes. Listeners should consult a professional for their specific situation.

Regarding the repository screenshot: We present analysis based on a screenshot from a credible source (VX-Underground). The repository has been removed and we cannot independently verify its contents. Our discussion represents a professional assessment based on typical development practices, not a confirmed fact about the specific breach mechanism.

The views expressed by guests are their own and do not necessarily reflect the views of the hosts or production team.

---

Transcript

Full transcript available at: thesmallbusinesscybersecurityguy.co.uk/transcripts

Accessibility: Contact us for alternative formats

---

Next Episode

Next time: Infosec, Cybersec, and IT security - They are the same right?? Spoiler Alert: No they are not!

Coming soon: More deep dives into small business cyber security. Subscribe so you don't miss it.

---

Published: 13 October 2025
Duration: ~30 minutes
Format: MP3
Copyright: © 2025 The Small Business Cyber Security Guy
License: All rights reserved

---

Stay safe out there. Check your repositories. Enable MFA for everyone. And remember, cybersecurity is safeguarding now.