When Cybercriminals Target Children: The Kido Nursery Attack

September 29, 2025

In a disturbing escalation of ransomware tactics, the hacker group calling itself Radiant Group has crossed a line that even hardened cybercriminals typically avoid—deliberately targeting children's data and encouraging parents to sue the victimised organisation. The attack on UK nursery chain Kido represents not just a data breach, but a troubling evolution in cybercriminal behaviour that should alarm every organisation handling sensitive personal information.

The Attack: A Timeline of Escalating Threats

The Radiant Group claims to have compromised 18 UK nurseries managed by Kido, accessing data on more than 8,000 individuals. The breach, which may have occurred several weeks before parents were notified, has already seen the attackers release 10 children's profiles onto the dark web as proof of their access and willingness to follow through on threats.


The group's subsequent communications have been brazenly aggressive. On their dark web page, Radiant posted: "We encourage any parents that's been affected to sue the nursery. They do not care about your data," alongside a link to a joint claim page—an unprecedented move that weaponises affected families against the victim organisation.


The hackers have threatened to release significantly more sensitive information, including:

  • 30 additional children's profiles
  • Personal information of 100 employees including full names, national insurance numbers, dates of birth, and addresses
  • Employment records with start dates and email addresses
  • Accident and safeguarding reports
  • Billing information


This data represents a comprehensive dossier on the most vulnerable individuals and those responsible for their care—information that could be exploited in countless malicious ways.



Breaking Cybercriminal Norms

What makes this attack particularly concerning is its deliberate targeting of children's data. Historically, even ransomware groups operating with few ethical constraints have tended to backtrack when they discover children's information has been compromised, recognising both the reputational damage and potential for intensified law enforcement response.


If Radiant Group succeeds in extracting payment through these extreme tactics, it establishes a dangerous precedent that other criminal groups will inevitably follow. The targeting of children could shift from an unacceptable line to just another pressure tactic in the ransomware playbook.



The Attack Vector: Breached Credentials

Cybersecurity group Palo Alto Networks has indicated that "breached credentials" may have been used to gain access to Kido's data, potentially through a recent acquisition. This highlights a common vulnerability in organisational cybersecurity: the integration of newly acquired entities often creates security gaps as systems are consolidated and legacy access controls may remain inadequately secured.


Initially, there was concern that the breach had occurred through Famly, a software platform used by many nurseries and childcare organisations. However, Anders Laustsen, chief executive of Famly, confirmed that a thorough investigation found "no breach of Famly's security or infrastructure in any way" and no other customers were affected.


This clarification is significant—it means the attack was targeted at Kido specifically rather than representing a supply chain compromise that could have affected numerous childcare providers simultaneously.



The Broader Implications

The Kido attack carries implications that extend far beyond a single nursery chain:

Vulnerability of Childcare Sector

Childcare providers often operate with limited IT security budgets and resources, making them attractive targets for cybercriminals. The sector handles extraordinarily sensitive information about children and families, creating a perfect storm of high-value data and potentially inadequate protection.


Weaponising Public Opinion

By actively encouraging parents to sue Kido and providing a platform for collective legal action, Radiant Group is pioneering a new tactic: turning victims against the victim organisation. This approach multiplies the pressure on the target whilst potentially making payment seem like the path of least resistance compared to protracted litigation.

Normalising the Unacceptable

If this attack proves financially successful for Radiant Group, it will inevitably be copied. What was once considered beyond the pale may become standard operating procedure, with criminals specifically targeting organisations that serve children, knowing the emotional and reputational leverage this provides.


Regulatory Response

The attack has already prompted response from the National Cyber Security Centre (NCSC), which has issued specific guidance for early years groups. Jonathon Ellison, NCSC director for national resilience, described the reports as "deeply distressing" and the Metropolitan Police are investigating.

However, the incident raises questions about whether existing regulatory frameworks adequately address the unique vulnerabilities and responsibilities of organisations handling children's data.


The Human Cost

Behind the technical details and criminal tactics lies genuine harm to real families. Parents who entrust their children to nursery care have now discovered that sensitive information about their children—potentially including safeguarding concerns and accident reports—may be exposed on the dark web.


The psychological impact on affected families should not be underestimated. Parents must now consider whether information about their children could be used for identity theft, targeting, or other malicious purposes years into the future. The safeguarding reports in particular could contain sensitive information about family circumstances that parents reasonably expected would remain confidential.


For Kido staff, the exposure of national insurance numbers, addresses, and employment details creates immediate practical concerns about identity theft and fraud, alongside the professional distress of being caught up in such a public security failure.



Protecting Childcare Organisations

The Kido attack provides urgent lessons for all organisations in the childcare sector:

Credential Management

With breached credentials likely serving as the attack vector, organisations must:

  • Implement comprehensive multi-factor authentication across all systems
  • Conduct regular audits of user accounts and access privileges
  • Promptly remove access for departed employees
  • Be particularly vigilant during mergers and acquisitions when legacy systems are integrated


Data Minimisation

Childcare providers should:

  • Review what data is truly necessary to collect and retain
  • Implement data retention policies that limit exposure
  • Ensure data is encrypted both at rest and in transit
  • Segregate particularly sensitive information with additional access controls


Incident Response Planning

Given the sector's vulnerability, providers need:

  • Pre-planned incident response procedures specifically addressing ransomware
  • Established relationships with cybersecurity firms for rapid response
  • Clear communication protocols for notifying affected families
  • Legal counsel familiar with data breach obligations


Third-Party Risk Management

When working with software platforms and service providers:

  • Conduct thorough security assessments of vendors
  • Ensure contractual obligations around security standards
  • Maintain visibility into how third parties access and handle data
  • Have contingency plans for vendor security failures



The Payment Dilemma

Organisations facing ransomware attacks confront an agonising decision: whether to pay the ransom. The arguments against payment are well-established—it funds criminal enterprises, provides no guarantee of data deletion, and encourages future attacks.

However, when the data concerns children and the criminals are actively working to turn affected families against the organisation, the pressure to pay becomes immense. Kido faces not just the technical consequences of the breach, but potential litigation, regulatory action, and permanent reputational damage.

This is precisely what Radiant Group is counting on—that the unique nature of children's data will make payment seem inevitable. Every organisation in the childcare sector should recognise that they could face similar pressure and prepare accordingly.

Government and Industry Response

The National Cyber Security Centre's involvement demonstrates recognition of the seriousness of this attack. However, the incident raises questions about whether more proactive measures are needed to protect the childcare sector specifically.


Potential responses could include:

  • Mandatory minimum cybersecurity standards for childcare providers
  • Government-funded security assessments for smaller providers
  • Sector-specific guidance and training programmes
  • Enhanced penalties for attacks targeting children's data
  • International coordination to pursue groups like Radiant Group



Our View

The Kido attack represents a troubling milestone in the evolution of ransomware tactics. By deliberately targeting children's data and weaponising public sentiment, Radiant Group has shown that some criminals will pursue any tactic that might prove financially effective, regardless of the harm caused.


The question now is whether the cybersecurity community, law enforcement, and society more broadly will allow this to become the new normal. The response to this attack—both in terms of supporting Kido and affected families, and in pursuing the perpetrators—will help determine whether targeting children's data remains beyond the pale or becomes just another criminal tactic.


For organisations across all sectors, but particularly those serving vulnerable populations, the message is clear: comprehensive cybersecurity is not optional, and the consequences of inadequate protection extend far beyond technical system failures to genuine human harm.

The criminals who attacked Kido have shown they will stop at nothing to extract payment. The only effective response is defence so robust that the attack never succeeds in the first place.



Protect Your Organisation and Those You Serve

The Kido attack demonstrates that no sector is immune to sophisticated cyber threats, and organisations serving vulnerable populations face unique pressures when compromised. Don't wait for an attack to discover your vulnerabilities.


At Altiatech, our cybersecurity experts specialise in comprehensive security assessments and protection strategies tailored to your sector's specific needs. From credential management to incident response planning, we help organisations build resilient defences against today's most dangerous threats.

Secure your organisation. Contact our team for a confidential security consultation:


Protect your data, your reputation, and those who trust you—before cybercriminals make that choice for you.

Critical TACACS+ Authentication Bypass Vulnerability Discovered in Cisco IOS and IOS XE

September 25, 2025
A newly disclosed critical vulnerability in Cisco's widely deployed IOS and IOS XE networking platforms has exposed a serious security flaw that could allow unauthorised attackers to completely bypass authentication controls. Tracked as CVE-2025-20160, this vulnerability highlights the importance of proper network security configuration and the potential consequences of seemingly minor misconfigurations.

When Digital Transformation Goes Wrong: Birmingham's £170m Oracle Disaster

By fahd.zafar September 25, 2025
Birmingham City Council's catastrophic Oracle implementation has become a textbook case of how digital transformation can spiral from ambitious modernisation into financial disaster. What began as a £19.9 million project to replace an ageing but functional SAP system has ballooned into a £170 million nightmare that helped push Europe's largest local authority into effective bankruptcy.

The £206m Wake-Up Call: How Cyber-Attacks Are Reshaping British Retail

September 25, 2025
The Co-op's devastating cyber-attack earlier this year has delivered a stark reminder of just how vulnerable our digital infrastructure has become. With £206m in lost revenues and £80m wiped from operating profits, this wasn't just a technical glitch—it was a business catastrophe that exposed the fragility of our interconnected retail ecosystem.

Lock In Your Microsoft Licensing Savings - Deadline November 1st

September 25, 2025
Time is running out to secure competitive Microsoft licensing rates before pricing standardisation takes effect.

Europe's Airport Chaos: Ransomware Grounds the Aviation Industry

September 23, 2025
Travellers across Europe are facing significant delays and disruptions as a ransomware attack on a critical aviation software provider brings manual check-in processes back to major airports. The European Union Agency for Cybersecurity (ENISA) has confirmed that ransomware is behind the ongoing chaos affecting airports from London to Brussels, highlighting the vulnerability of critical infrastructure to cyber attacks.

Stellantis Data Breach: Another Supply Chain Security Wake-Up Call

September 23, 2025
Car manufacturer Stellantis—the global automotive giant behind household names including Chrysler, Jeep, and Peugeot—has become the latest victim of a supply chain cyber attack, with customer data compromised through a third-party vendor breach.

Critical Microsoft Entra ID Vulnerability Exposes Enterprise Security Risks

September 22, 2025
Microsoft recently addressed a critical security vulnerability in its Entra ID platform that could have allowed attackers to impersonate any user, including those with the highest administrative privileges, across any organisation's tenant. This incident highlights the evolving sophistication of cloud-based threats and the critical importance of comprehensive identity security strategies.

Navigating the Modern IT Maze: A Strategic Approach to Complexity Management

By fahd.zafar September 19, 2025
IT leaders face an unprecedented challenge: managing increasingly complex technology environments whilst maintaining operational efficiency and driving innovation. The enterprise technology stack has transformed dramatically, creating both tremendous opportunities and significant operational headaches.

Urgent Security Alert: Critical Chrome Vulnerability

September 19, 2025
Action Required: Update Your Chrome Browser Immediately We're reaching out to alert you to a critical security vulnerability in Google Chrome that requires your immediate attention. Google has released an emergency security patch for a high-severity flaw that cybercriminals are already exploiting in the wild.

The Human Side of Digital Transformation: Why Putting People First Delivers Results

By fahd.zafar September 17, 2025
Digital transformation has become a business imperative, yet despite decades of investment in technology and management theory, the failure rate remains stubbornly high. A study conducted by Oxford's Saïd Business School and EY reveals why: organisations that put humans at the centre of their transformation journey are 2.6 times more likely to succeed than those that don't.