When Cybercriminals Target Children: The Kido Nursery Attack

September 29, 2025

In a disturbing escalation of ransomware tactics, the hacker group calling itself Radiant Group has crossed a line that even hardened cybercriminals typically avoid—deliberately targeting children's data and encouraging parents to sue the victimised organisation. The attack on UK nursery chain Kido represents not just a data breach, but a troubling evolution in cybercriminal behaviour that should alarm every organisation handling sensitive personal information.

The Attack: A Timeline of Escalating Threats

The Radiant Group claims to have compromised 18 UK nurseries managed by Kido, accessing data on more than 8,000 individuals. The breach, which may have occurred several weeks before parents were notified, has already seen the attackers release 10 children's profiles onto the dark web as proof of their access and willingness to follow through on threats.


The group's subsequent communications have been brazenly aggressive. On their dark web page, Radiant posted: "We encourage any parents that's been affected to sue the nursery. They do not care about your data," alongside a link to a joint claim page—an unprecedented move that weaponises affected families against the victim organisation.


The hackers have threatened to release significantly more sensitive information, including:

  • 30 additional children's profiles
  • Personal information of 100 employees including full names, national insurance numbers, dates of birth, and addresses
  • Employment records with start dates and email addresses
  • Accident and safeguarding reports
  • Billing information


This data represents a comprehensive dossier on the most vulnerable individuals and those responsible for their care—information that could be exploited in countless malicious ways.



Breaking Cybercriminal Norms

What makes this attack particularly concerning is its deliberate targeting of children's data. Historically, even ransomware groups operating with few ethical constraints have tended to backtrack when they discover children's information has been compromised, recognising both the reputational damage and potential for intensified law enforcement response.


If Radiant Group succeeds in extracting payment through these extreme tactics, it establishes a dangerous precedent that other criminal groups will inevitably follow. The targeting of children could shift from an unacceptable line to just another pressure tactic in the ransomware playbook.



The Attack Vector: Breached Credentials

Cybersecurity group Palo Alto Networks has indicated that "breached credentials" may have been used to gain access to Kido's data, potentially through a recent acquisition. This highlights a common vulnerability in organisational cybersecurity: the integration of newly acquired entities often creates security gaps as systems are consolidated and legacy access controls may remain inadequately secured.


Initially, there was concern that the breach had occurred through Famly, a software platform used by many nurseries and childcare organisations. However, Anders Laustsen, chief executive of Famly, confirmed that a thorough investigation found "no breach of Famly's security or infrastructure in any way" and no other customers were affected.


This clarification is significant—it means the attack was targeted at Kido specifically rather than representing a supply chain compromise that could have affected numerous childcare providers simultaneously.



The Broader Implications

The Kido attack carries implications that extend far beyond a single nursery chain:

Vulnerability of Childcare Sector

Childcare providers often operate with limited IT security budgets and resources, making them attractive targets for cybercriminals. The sector handles extraordinarily sensitive information about children and families, creating a perfect storm of high-value data and potentially inadequate protection.


Weaponising Public Opinion

By actively encouraging parents to sue Kido and providing a platform for collective legal action, Radiant Group is pioneering a new tactic: turning victims against the victim organisation. This approach multiplies the pressure on the target whilst potentially making payment seem like the path of least resistance compared to protracted litigation.

Normalising the Unacceptable

If this attack proves financially successful for Radiant Group, it will inevitably be copied. What was once considered beyond the pale may become standard operating procedure, with criminals specifically targeting organisations that serve children, knowing the emotional and reputational leverage this provides.


Regulatory Response

The attack has already prompted response from the National Cyber Security Centre (NCSC), which has issued specific guidance for early years groups. Jonathon Ellison, NCSC director for national resilience, described the reports as "deeply distressing" and the Metropolitan Police are investigating.

However, the incident raises questions about whether existing regulatory frameworks adequately address the unique vulnerabilities and responsibilities of organisations handling children's data.


The Human Cost

Behind the technical details and criminal tactics lies genuine harm to real families. Parents who entrust their children to nursery care have now discovered that sensitive information about their children—potentially including safeguarding concerns and accident reports—may be exposed on the dark web.


The psychological impact on affected families should not be underestimated. Parents must now consider whether information about their children could be used for identity theft, targeting, or other malicious purposes years into the future. The safeguarding reports in particular could contain sensitive information about family circumstances that parents reasonably expected would remain confidential.


For Kido staff, the exposure of national insurance numbers, addresses, and employment details creates immediate practical concerns about identity theft and fraud, alongside the professional distress of being caught up in such a public security failure.



Protecting Childcare Organisations

The Kido attack provides urgent lessons for all organisations in the childcare sector:

Credential Management

With breached credentials likely serving as the attack vector, organisations must:

  • Implement comprehensive multi-factor authentication across all systems
  • Conduct regular audits of user accounts and access privileges
  • Promptly remove access for departed employees
  • Be particularly vigilant during mergers and acquisitions when legacy systems are integrated


Data Minimisation

Childcare providers should:

  • Review what data is truly necessary to collect and retain
  • Implement data retention policies that limit exposure
  • Ensure data is encrypted both at rest and in transit
  • Segregate particularly sensitive information with additional access controls


Incident Response Planning

Given the sector's vulnerability, providers need:

  • Pre-planned incident response procedures specifically addressing ransomware
  • Established relationships with cybersecurity firms for rapid response
  • Clear communication protocols for notifying affected families
  • Legal counsel familiar with data breach obligations


Third-Party Risk Management

When working with software platforms and service providers:

  • Conduct thorough security assessments of vendors
  • Ensure contractual obligations around security standards
  • Maintain visibility into how third parties access and handle data
  • Have contingency plans for vendor security failures



The Payment Dilemma

Organisations facing ransomware attacks confront an agonising decision: whether to pay the ransom. The arguments against payment are well-established—it funds criminal enterprises, provides no guarantee of data deletion, and encourages future attacks.

However, when the data concerns children and the criminals are actively working to turn affected families against the organisation, the pressure to pay becomes immense. Kido faces not just the technical consequences of the breach, but potential litigation, regulatory action, and permanent reputational damage.

This is precisely what Radiant Group is counting on—that the unique nature of children's data will make payment seem inevitable. Every organisation in the childcare sector should recognise that they could face similar pressure and prepare accordingly.

Government and Industry Response

The National Cyber Security Centre's involvement demonstrates recognition of the seriousness of this attack. However, the incident raises questions about whether more proactive measures are needed to protect the childcare sector specifically.


Potential responses could include:

  • Mandatory minimum cybersecurity standards for childcare providers
  • Government-funded security assessments for smaller providers
  • Sector-specific guidance and training programmes
  • Enhanced penalties for attacks targeting children's data
  • International coordination to pursue groups like Radiant Group



Our View

The Kido attack represents a troubling milestone in the evolution of ransomware tactics. By deliberately targeting children's data and weaponising public sentiment, Radiant Group has shown that some criminals will pursue any tactic that might prove financially effective, regardless of the harm caused.


The question now is whether the cybersecurity community, law enforcement, and society more broadly will allow this to become the new normal. The response to this attack—both in terms of supporting Kido and affected families, and in pursuing the perpetrators—will help determine whether targeting children's data remains beyond the pale or becomes just another criminal tactic.


For organisations across all sectors, but particularly those serving vulnerable populations, the message is clear: comprehensive cybersecurity is not optional, and the consequences of inadequate protection extend far beyond technical system failures to genuine human harm.

The criminals who attacked Kido have shown they will stop at nothing to extract payment. The only effective response is defence so robust that the attack never succeeds in the first place.



Protect Your Organisation and Those You Serve

The Kido attack demonstrates that no sector is immune to sophisticated cyber threats, and organisations serving vulnerable populations face unique pressures when compromised. Don't wait for an attack to discover your vulnerabilities.


At Altiatech, our cybersecurity experts specialise in comprehensive security assessments and protection strategies tailored to your sector's specific needs. From credential management to incident response planning, we help organisations build resilient defences against today's most dangerous threats.

Secure your organisation. Contact our team for a confidential security consultation:


Protect your data, your reputation, and those who trust you—before cybercriminals make that choice for you.

Identity Governance Maturity: Assessing Where Your Organisation Stands

December 22, 2025
Identity and access management represents a critical security capability, yet many organisations struggle to assess whether their IAM implementation is truly effective. Identity governance maturity models provide a framework for evaluation, revealing gaps and priorities for improvement.

Zero Trust Security: Moving Beyond Perimeter Defence in Hybrid Work Environments

December 15, 2025
Traditional security models assumed everything inside the corporate network was trustworthy, focusing defensive efforts on the perimeter. This approach fails catastrophically in today's hybrid work environment where employees access resources from homes, coffee shops, and co-working spaces whilst applications reside across multiple clouds.
Microsoft logo on a wood-paneled wall, with colorful squares and company name.

Microsoft 365: Major Licensing Changes Coming in 2026

December 10, 2025
Microsoft is introducing major Microsoft 365 licensing changes in 2026. Learn what’s changing, who is affected and how businesses should prepare.

The Real Cost of Cloud Waste: How UK Organisations Are Losing Thousands Monthly

December 8, 2025
Cloud computing promised cost savings through pay-per-use models and elastic scaling. Yet many UK organisations discover their cloud bills steadily increasing without corresponding business growth. The culprit? Cloud waste - unnecessary spending on unused or inefficiently configured resources.

Zendesk Users Targeted with Sophisticated Support Platform Attack

November 28, 2025
A threat group known as Scattered Lapsus$ Hunters is targeting Zendesk users through a sophisticated campaign involving fake support sites and weaponised helpdesk tickets, according to security researchers at ReliaQuest. The operation represents an evolution in how cybercriminals exploit trust in enterprise SaaS platforms.

AWS Introduces DNS Failover for US East Region—Acknowledging Its Reliability Problem

November 28, 2025
Amazon Web Services has launched a new feature allowing customers to make DNS changes within 60 minutes during service disruptions in its US East (N. Virginia) region. The announcement tacitly acknowledges what many have long observed: AWS's largest and most critical region has a reliability problem.

Two Years After Ransomware Attack, Scottish Council Still Rebuilding Systems

November 28, 2025
A Scottish council remains unable to fully restore critical systems two years after a devastating ransomware attack, highlighting the long-term consequences of inadequate cybersecurity preparation and the challenges facing resource-constrained local authorities.  Comhairle nan Eilean Siar, serving Scotland's Western Isles, suffered a ransomware attack in November 2023 that required extensive system reconstruction. According to a report published by Scotland's Accounts Commission, several systems remain unrestored even now, with large data volumes slowing the digital recovery process.

Windows 10 End-of-Life: Your Complete Migration Strategy for 2026

November 26, 2025
Ready to migrate from Windows 10? Contact Altiatech for a comprehensive migration assessment and strategy tailored to your organisation's needs.

CISA Warning: Commercial Spyware Actively Targeting Messaging App Users

November 25, 2025
The Cybersecurity and Infrastructure Security Agency has issued an alert warning that multiple cyber threat actors are actively leveraging commercial spyware to target users of mobile messaging applications including Signal and WhatsApp. The sophisticated campaigns use advanced social engineering and exploit techniques to compromise victims' devices and gain unauthorized access to their communications.

Microsoft's AI Agents in Windows: What Businesses Need to Know About Copilot Actions

By fahd.zafar November 24, 2025
Microsoft has introduced experimental AI agent capabilities into Windows through Copilot Actions and agent workspaces, features designed to automate everyday tasks like organising files, scheduling meetings, and sending emails. However, the announcement comes with significant security warnings that business leaders and IT administrators must understand before enabling these capabilities.