Big Or Small - Is Your Organisation Ready To Be Hacked

26th September 2025

In the light of the latest hacker attack on a children's nursery group - Kido nursery chain have you reviewed your online presence and what information you hold.

Small businesses an charities may be particularly vulnerable and lack the resources to protect them selves.

Kido Nursery story at BBC

Charities and small businesses are definitely vulnerable to hacking and data breaches—sometimes acutely so. What the latest data shows, what makes charities especially at-risk, and what kinds of protections can help.

What the data says: How common are breaches in charities

Here are some recent statistics and findings on charities:

About 30% of UK charities reported experiencing a cybersecurity breach or attack in the past 12 months. That’s around 61,000 registered charities.

Among charities with annual income of £500,000 or more, two-thirds (66%) experienced an incident.
Civil Society.

The most common type of attack or breach is phishing: in surveyed charities, 83-86% of those that suffered a breach said phishing was involved.

Other common threats - impersonation (fake / spoofed emails or web presences), malware, business email compromise (where internal emails are used to trick people into transferring funds) etc.

So breaches are fairly common.

Why charities are especially vulnerable

Charities often have a combination of factors that make them softer targets compared to big corporations. Some of those are:

Limited budgets and resources
Many charities spend most of their funds on their core mission (support work, care, etc.) and have less left over for cybersecurity — for example, fewer dedicated IT or security staff.

Use of volunteers or part-time staff
Because charities often rely on volunteers or staff who may not have formal training in cybersecurity, there is often less awareness of risks, less consistent security hygiene (e.g. using weak passwords, not recognising phishing) among those who have access to data.

Outdated / unpatched systems
Some charities may run older software, devices, or systems that haven’t been updated, making known vulnerabilities more exploitable.

Handling sensitive data
Charities often store personal data about donors, beneficiaries (clients), sometimes children or vulnerable people. That data is attractive to criminals.

Trust and reputational risk
Because charities are supposed to be trustworthy, people often give them data without expecting rigorous protection. If that expectation is violated, the damage to trust and reputation can be severe. This also means legal/regulatory consequences under data protection laws (e.g. GDPR, UK data protection) if data is mishandled.

Insider risk
Fraud or mishandling of data by people inside the organisation (staff, volunteers) can cause breaches. Sometimes unintentionally (mistakes), sometimes maliciously.

What the impact looks like

When a charity is hacked or has client data stolen, among the possible consequences are:

Loss of privacy for clients, exposure of personal details (names, addresses, financial info etc.)

Risk of identity theft, phishing or fraud targeted at those whose data has been leaked

Disruption of services if systems are locked (e.g. ransomware)

Financial losses (recovering from the breach, legal fees, possibly paying ransom, fines under data protection laws)

Loss of donor trust, which can affect fundraising long term

Legal / regulatory consequences (e.g. reporting breaches, fines under GDPR or UK data protection law)

What charities are doing / guidance available

There are resources and recommendations to reduce the risk.

Government guidance (“Protect your charity from cyber crime”) from GOV.UK: covers basics like securing devices, training people, backup, handling phishing etc.
See
https://www.gov.uk/guidance/protect-your-charity-from-cyber-crime?utm_source=chatgpt.com

National Cyber Security Centre (NCSC) has tools, training, guides for charities including “Small Charity Guide” and free/low cost resources.

Encouragement for trustees / leadership of charities to be aware of cyber risk, not assume someone else handles it, to have plans in place for if things go wrong.
GOV.UK
+2
OSCR
+2

How safe are they really? (Assessing risk)

Given the above, the answer is: charities are not as safe as they should be, but some are doing well; others are exposed. It depends a lot on:

The size of the charity and its income (bigger ones usually have more exposure, but also more resources to protect themselves)

How much sensitive data is stored, and whether it's encrypted / access-controlled

Whether staff and volunteers are trained / aware of phishing and social engineering risks

Whether IT infrastructure is kept up to date, whether backups exist, incident response plans etc.

In many cases, breaches are preventable if basic cybersecurity hygiene is followed (strong passwords, multi-factor authentication, avoiding untrusted attachments/links, backing up data). The problem is that many organisations, especially smaller ones, don’t have the expertise or funding to fully implement best practices.

What to do if a nursery (or similar organisation) has had client data stolen

If you are involved with or know of a nursery where client data has been stolen, here are some steps to take:

Containment

Identify what data was stolen (names, addresses, health info, financial/payment data, etc.)

Understand how the breach happened (e.g. phishing, malware, hacked account, insider) if possible

Notification

Under UK GDPR / data protection law, you may be required to report the breach to the Information Commissioner’s Office (ICO), especially if the breach is likely to result in risk to individuals.

Inform affected individuals (parents, clients) as soon as practicable, being transparent about what was stolen and what steps are being taken

Remediation & Prevention

Change compromised passwords / access credentials; enforce multi-factor authentication if not already in use

Patch any software vulnerabilities; ensure devices are up to date

Review backup policies; ensure there are backups stored securely in case of ransomware etc.

Train staff / volunteers on phishing awareness and safe handling of data

Review policies & governance

Check data protection policies, who has access to what data, whether data minimization is practiced (only collecting and holding what’s needed, for as long as needed)

Ensure there is an incident response plan for future breaches

Legal & regulatory compliance

Check GDPR requirements and if data breach must be reported to ICO, possibly to Charity Commission if serious incident rules apply

Seek legal advice if needed

Restore trust

Communicate clearly with affected families / clients about what happened, what you're doing to prevent recurrence

Show steps taken to strengthen security.

Is all your data backed up separately?
Do you regularly change passwords?