From Booking to Breach: The Risk You Didn’t See Coming

Side profile of woman using laptop with cyber security concept.

From Booking to Breach: The Risk You Didn’t See Coming

Even with trusted systems in place, children’s activity providers aren’t immune to cyber threats. Here’s why it still matters, and what you can do.

You didn’t set up your business to spend hours on admin.

You wanted to make a difference to help little ones learn, play, dance, stretch, or express themselves. Maybe you started out with a small class in a church hall or community centre. Maybe you’re now running packed-out sessions across multiple days.

But no matter how your business has grown, one thing is probably true: it’s all online now.

Bookings, registers, payments, emails are all managed through digital tools designed to make life easier. And thank goodness for them. With everything else you have to juggle, software that helps reduce paperwork and stay organised has become a lifeline.

But here’s the thing: just because you’re using a platform to manage your data doesn’t mean the responsibility goes away.

Even when it’s not your system – it’s still your business

Whether you use a well-known booking app, a purpose built admin tool, or a free form system stitched together with spreadsheets and email, the moment a parent shares their child’s information with you, you become responsible for keeping it safe.

Yes, the platforms you use invest a lot into keeping things secure and many do a fantastic job. But if there’s a breach, or a mistake, or a dodgy email that catches someone out, it’s you the families will look to for answers.

Not the platform. You.

And in a business built on trust, how you handle that moment really matters.

A quick word on roles and responsibility

Under UK data protection law, if you collect personal data from families (even if it’s stored in another system), you are the Data Controller. That means you decide what data is collected, how it’s used, and who it’s shared with.

The platform you use (for example, a booking system or payment processor) is usually a Data Processor and they handle the data on your behalf.

So, if something goes wrong, whether it’s a security breach, a data leak, or a loss of access, the legal and ethical responsibility to deal with it still rests with you as the controller. That includes informing families, reporting incidents if necessary, and knowing what steps to take next.

It’s not always fair but it’s how the law works. And knowing where you stand helps you stay in control.

But I thought I was covered?

That’s a common feeling. And totally understandable.

If you’re using a platform that promises security, GDPR compliance, and regular updates, you’re doing the right thing. But that doesn’t always protect you from what happens on your side or how you or those supporting you use those tools day-to-day.

Here’s what we often see catch people out:

One shared login used across different helpers or instructors
Forgotten access for people no longer involved in your business
Auto-emails going out to the wrong people
Unfamiliar emails that look like the real thing
Assuming someone else will sort it if there’s a problem

These things don’t happen because you’re careless, they happen because you’re busy, and the tech is supposed to be easy. But those same gaps can open the door to real risk.

What does a cyber risk actually look like?

Imagine this: A parent gets in touch because they received an email from you asking them to update their payment details. Except… you didn’t send it.

They forward the email. It looks just like your usual messages, same logo, same sign-off. But the link goes somewhere else. Somewhere unsafe.

You check your system and realise someone has gained access using your login. They’ve sent fake messages to every parent you work with. Now you’re spending the evening trying to contact families, calm worries, and figure out what to do next.

You didn’t write the code. You didn’t build the system. But it’s still your business, your reputation and your responsibility.

So what can you do?

You don’t need to become a tech expert to protect your business. A few simple steps can go a long way:

1. Review access regularly
If anyone else supports your sessions or helps with admin, make sure they only have access to what they need and remove anyone no longer working with you.

2. Take five minutes to check your settings
Look at what data you’re collecting, where it’s stored, and who can see it. Less is more when it comes to sensitive info.

3. Stay alert to phishing and scams
Whether it’s just you or a small team, it helps to be cautious with unexpected emails, links, or password requests. If in doubt - don’t click.

4. Understand your software’s process
Find out what support is available if something does go wrong. Do they notify your customers? Do you?

5. Think about cover
It’s worth checking whether your insurance includes cyber protection. If not, it might be something to consider, especially if you’re holding children’s data.

Final thoughts

You don’t need to overhaul your business. You don’t need to do everything at once. But it is worth taking a step back and asking:

“If something went wrong with our data, could I explain what happened and how we’d fix it?”

Running children’s activities is about so much more than filling time it’s about inspiring children and families to learn, grow, connect and thrive. And now, part of that safety and inspiration lives in your systems and screens.

The good news? You’re not alone in this. Every provider - whether solo or supported by a team is navigating the same digital shift and learning as they go. With a little awareness, a few precautions, and a bit of backup, you can feel more confident that your tech is helping your business, not leaving it vulnerable.

You already create spaces that spark curiosity, build confidence, and bring joy.
Protecting that online is just one more way to keep the magic going.

Bio

Gary Harrison, Head of Operations at Morton Michel.

With over 17 years at Morton Michel and more than two decades in the insurance industry, Gary is passionate about supporting the childcare and education sectors through meaningful, risk-aware partnerships. A champion of inclusive practice and sector innovation. Gary and his team at Morton Michel work closely with providers, policy experts and insurers to ensure that insurance reflects the real-world needs of early years professionals.

Headshot of Gary Harrison, Head of Operations at Morton Michel