Following recent news in the media that the ‘Kido‘ nursery group’s data has been breached and held to ransom, we’ve had a number of concerned customers and parents reach out to us about our own data security.
The Kido group has confirmed they use another software provider, and as such this breach has no impact whatsoever on Blossom’s user data.
As always, your data with Blossom is safe and secure. Below, we detail how this is always the case.
In this article:
What to do when you hear about a data breach
The first step, whether the breach happened to you or not, is not to panic. Rash decisions made in respect to data is how breaches occur in the first place.
Second, review your processes to make sure you’re doing everything reasonable to keep your data secure. As a reminder, these are your responsibilities with regards to your parents’ and children’s data as defined by ICO’s data protection principles:
- Data will be processed lawfully, fairly and with transparency
- Don’t ask for data you don’t legally need and do nothing illegal with it, treat your data with respect to the personal nature of it, and be open about what you will use the data for
- Purpose limitation
- Only use data for what you need to and document those processes
- Data minimisation
- Collect only enough data as is needed for your purposes
- Accuracy
- Correct known inaccuracy as soon as possible, and check employment references for employees before hiring
- Storage limitation
- Financial information needs to be stored for 6 years, the rest as long as your data retention policy dictates
- Integrity and confidentiality (security)
- Store your data somewhere secure like a password-protected platform (such as Blossom) that uses data encryption
If your parents are filling in Subject Access Requests, you can provide them with their data within one month of request. If they’re requesting deletion, explain that you can only delete some information but other information is required for accurate record keeping.
How Blossom keeps your data secure
When your Blossom data is stored or in transit, it’s encrypted with 256-bit encryption. This is considered virtually uncrackable by brute-force attacks using current computer systems. And we use AWS (Amazon Web Service) cloud servers for our data as their tools allow us to continually ensure security over financial information along with the five Trust Services Criteria.
The benefits of using cloud servers include automatic patching, updates and infrastructure hardening, so security updates are delivered instantly as soon as they’re available. They also have redundancy, failover and disaster recovery built in – increasing resilience to both outages and attacks. At Blossom we do system backups twice a day, and data is only ever stored in Europe.
We don’t have a public api, so your data is only ever shared with accredited third parties such as Stripe, or on your Blossom platform. This hugely reduces our attack surface, meaning we have no additional vulnerabilities or data exposure that can benefit hackers.
Our Development teams are ISO certified for data compliance, particularly ISO 27001 which is a standard for protecting data through a systematic approach to data management.
In short, we’re doing everything we can to keep your children’s and parents’ data safe. But there are also steps you can take to reduce your exposure to a data breach.
How to protect your data
Restrict access
It starts with thinking carefully about who you allow to access your data. In the same way you wouldn’t share your phone PIN with anyone you didn’t trust, you shouldn’t let anyone in your setting access data they don’t need.
This is called ‘least privilege’, and can be controlled through Blossom’s role permissions and device access, including room-specific restrictions. You should also periodically review and revoke unused accounts.
Staff training
Staff training on awareness of phishing attempts is paramount, as not every phishing attempt reads like a scam, full of spelling errors and other obvious giveaways. With the rise of AI phishing attempts can also include voice imitation of someone close to you. Blossom staff will never ask for your platform password, either by phone or email.
Device security
Ensure all devices you use to access Blossom (or any data you want to keep safe) have up-to-date software, use network security like firewalls, and aren’t used for anything ‘risky’ like unrestricted web browsing or unchecked downloads.
You should also lock and secure portable devices with screen locks, auto locks, device PINs and timeout features. Blossom features a timeout so users cannot stay logged in indefinitely, reducing risk.
Our platform also tells you if you’re using a weak or strong password, and you should always use the strongest password you can. It might be harder to remember, but as soon as you choose convenience over security, that security is weakened.
Breach response and procedures
Define the steps you and users should take if a device that accesses Blossom is lost or stolen, including who to contact, how to change credentials remotely, and auditing log in attempts. While it can be scary, make sure anyone who suffers this lost or theft is unafraid to report it, as the longer they take to report it the greater the risk of breach.
Maintain clear data protection policies and review them regularly, such as once a year. You should also assign responsibilities such as a data protection lead, log monitor, first point of contact etc.
If you’re not sure where to start with any of these, there are some free resources below which you can use to up your security and prepare for future threats:
