Famly update on the 2025 cyber incident

We know that recent media reports about a cyber incident involving a UK nursery group have caused a lot of concern for EY leaders, staff and families right across the sector. That’s why we wanted to take the chance to clarify Famly’s position and reassure you all that our system is safe and secure for the millions of parents and customers that rely on us.

The Cyber Incident: What happened?

In September this year, media outlets reported that hackers obtained sensitive data belonging to a nursery group. Some reports mentioned Famly because the mentioned nursery group uses our software to manage its nurseries.

As confirmed by the BBC, Famly’s own investigation found that our security and infrastructure was not breached or compromised. The Famly system remains secure and fully operational.

The hackers later claimed to have deleted the data they accessed. The Metropolitan Police Cyber Crime Unit continues to investigate, and two arrests have been made.

Reports suggest the hackers attempted to extort the nursery group for money but were not successful.

The real victims of this incident are of course the children, families, and educators affected. No parent or nursery should ever face a situation where their data is accessed by criminals. Cybercriminals targeting nurseries represent a new and unacceptable low.

How Famly keeps data safe

We conducted a thorough investigation of the Famly platform and can confirm that, while the data that was affected was stored in Famly, our security and infrastructure was not breached or compromised, and remains fully intact.

We take data security and privacy extremely seriously and keep your data safe in a multitude of ways, such as:

• Encryption while in transit and at rest
• Cyber Essential Plus Certificate
• A secure data centre and a separate back-up data centre
• Multi-factor authentication for employees, with all access to personal data logged and monitored
• Daily full backups of data 
• Clear procedures in place to quickly address and mitigate any potential security or data breaches
• Annual audits by independent auditors
• Annual penetration testing by an independent third party

You can read more about Famly’s data security here.

How we’re supporting customers 

We’ve stayed in close contact with all customers throughout, providing clear and transparent updates on the situation.

‍
While we already offered the option of multi-factor authentication and options for single sign-on, our engineering teams have been working to make further improvements to strengthen customers options for data security, at a time of heightened scrutiny of their systems. These include:

• Simpler multi-factor authentication setup
• New tools for managers to see which staff have enabled multi-factor authentication
• Organisation-wide multi-factor authentication enforcement and single sign-on controls
• Improved recovery options to avoid lockouts
  

Helping nurseries stay cyber-secure

The incident has, of course, raised broader security concerns in the sector about how settings can protect themselves from an incident like this one.

While Famly acts as data processor, not data controller, (we can process data only under our customers’ instructions), we want to help settings strengthen their own security practices.

Top tips for safer data in Early Years settings

1. Strong passwords - The National Cyber Security Centre recommends using strong passwords. Combine three or four random words to create a single password, like “rosedreamcrumbsbusses”. Never use something easily predictable, like your setting’s name or “Password1234”. Never reuse the same password for different accounts or share log-ins with anyone else. Don’t keep a note of your password near (or on) your device.
   
   
2. Keep your software and operating system up-to-date - Software updates can often include new security measures, so enable ‘automatic updates’ on your devices.
   
   
3. Be vigilant with emails - The NCSC recommends looking out for ‘official-sounding’ messages, or emails full of 'tech speak’ that persuade you to do something immediately - this could be phishing. If you’re not sure, don’t open the email and don’t click any links.
   

4. Back up important data - The NCSC recommends making a list of the most important information and information that you're legally obliged to safeguard and saving this securely on an external hard drive or to a secure cloud. If you’re using Famly, this is already taken care of for you.
   
   
5. Keep your devices securely stored away when they’re not in use - As well as locking your device digitally, via PIN or password, keeping devices secure could prevent theft or damage. Find a safe place to put tablets during the day and lock them up when they’re not being used.

Our commitment to Early Years security

It’s important that we reiterate a few key messages in terms of Famly’s own system and its safety.

• Famly’s platform has not been breached.
• The cyber incident did not involve a compromise of our systems. 
• We continue to work closely with customers and the sector to keep data safe.
  

We understand how unsettling stories like this can feel. That’s why we’re working with our customers and the whole sector through this situation with transparency, action, and continued investment in the security of the data entrusted to us.