The Attack: A Timeline of Escalating Threats

The Radiant Group claims to have compromised 18 UK nurseries managed by Kido, accessing data on more than 8,000 individuals. The breach, which may have occurred several weeks before parents were notified, has already seen the attackers release 10 children's profiles onto the dark web as proof of their access and willingness to follow through on threats.

The group's subsequent communications have been brazenly aggressive. On their dark web page, Radiant posted: "We encourage any parents that's been affected to sue the nursery. They do not care about your data," alongside a link to a joint claim page—an unprecedented move that weaponises affected families against the victim organisation.

The hackers have threatened to release significantly more sensitive information, including:

• 30 additional children's profiles
• Personal information of 100 employees including full names, national insurance numbers, dates of birth, and addresses
• Employment records with start dates and email addresses
• Accident and safeguarding reports
• Billing information

This data represents a comprehensive dossier on the most vulnerable individuals and those responsible for their care—information that could be exploited in countless malicious ways.

Breaking Cybercriminal Norms

What makes this attack particularly concerning is its deliberate targeting of children's data. Historically, even ransomware groups operating with few ethical constraints have tended to backtrack when they discover children's information has been compromised, recognising both the reputational damage and potential for intensified law enforcement response.

If Radiant Group succeeds in extracting payment through these extreme tactics, it establishes a dangerous precedent that other criminal groups will inevitably follow. The targeting of children could shift from an unacceptable line to just another pressure tactic in the ransomware playbook.

The Attack Vector: Breached Credentials

Cybersecurity group Palo Alto Networks has indicated that "breached credentials" may have been used to gain access to Kido's data, potentially through a recent acquisition. This highlights a common vulnerability in organisational cybersecurity: the integration of newly acquired entities often creates security gaps as systems are consolidated and legacy access controls may remain inadequately secured.

Initially, there was concern that the breach had occurred through Famly, a software platform used by many nurseries and childcare organisations. However, Anders Laustsen, chief executive of Famly, confirmed that a thorough investigation found "no breach of Famly's security or infrastructure in any way" and no other customers were affected.

This clarification is significant—it means the attack was targeted at Kido specifically rather than representing a supply chain compromise that could have affected numerous childcare providers simultaneously.

The Broader Implications

The Kido attack carries implications that extend far beyond a single nursery chain:

Vulnerability of Childcare Sector

Childcare providers often operate with limited IT security budgets and resources, making them attractive targets for cybercriminals. The sector handles extraordinarily sensitive information about children and families, creating a perfect storm of high-value data and potentially inadequate protection.

Weaponising Public Opinion

By actively encouraging parents to sue Kido and providing a platform for collective legal action, Radiant Group is pioneering a new tactic: turning victims against the victim organisation. This approach multiplies the pressure on the target whilst potentially making payment seem like the path of least resistance compared to protracted litigation.

Normalising the Unacceptable

If this attack proves financially successful for Radiant Group, it will inevitably be copied. What was once considered beyond the pale may become standard operating procedure, with criminals specifically targeting organisations that serve children, knowing the emotional and reputational leverage this provides.

Regulatory Response

The attack has already prompted response from the National Cyber Security Centre (NCSC), which has issued specific guidance for early years groups. Jonathon Ellison, NCSC director for national resilience, described the reports as "deeply distressing" and the Metropolitan Police are investigating.

However, the incident raises questions about whether existing regulatory frameworks adequately address the unique vulnerabilities and responsibilities of organisations handling children's data.

The Human Cost

Behind the technical details and criminal tactics lies genuine harm to real families. Parents who entrust their children to nursery care have now discovered that sensitive information about their children—potentially including safeguarding concerns and accident reports—may be exposed on the dark web.

The psychological impact on affected families should not be underestimated. Parents must now consider whether information about their children could be used for identity theft, targeting, or other malicious purposes years into the future. The safeguarding reports in particular could contain sensitive information about family circumstances that parents reasonably expected would remain confidential.

For Kido staff, the exposure of national insurance numbers, addresses, and employment details creates immediate practical concerns about identity theft and fraud, alongside the professional distress of being caught up in such a public security failure.

Protecting Childcare Organisations

The Kido attack provides urgent lessons for all organisations in the childcare sector:

Credential Management

With breached credentials likely serving as the attack vector, organisations must:

• Implement comprehensive multi-factor authentication across all systems
• Conduct regular audits of user accounts and access privileges
• Promptly remove access for departed employees
• Be particularly vigilant during mergers and acquisitions when legacy systems are integrated

Data Minimisation

Childcare providers should:

• Review what data is truly necessary to collect and retain
• Implement data retention policies that limit exposure
• Ensure data is encrypted both at rest and in transit
• Segregate particularly sensitive information with additional access controls

Incident Response Planning

Given the sector's vulnerability, providers need:

• Pre-planned incident response procedures specifically addressing ransomware
• Established relationships with cybersecurity firms for rapid response
• Clear communication protocols for notifying affected families
• Legal counsel familiar with data breach obligations

Third-Party Risk Management

When working with software platforms and service providers:

• Conduct thorough security assessments of vendors
• Ensure contractual obligations around security standards
• Maintain visibility into how third parties access and handle data
• Have contingency plans for vendor security failures

The Payment Dilemma

Organisations facing ransomware attacks confront an agonising decision: whether to pay the ransom. The arguments against payment are well-established—it funds criminal enterprises, provides no guarantee of data deletion, and encourages future attacks.

However, when the data concerns children and the criminals are actively working to turn affected families against the organisation, the pressure to pay becomes immense. Kido faces not just the technical consequences of the breach, but potential litigation, regulatory action, and permanent reputational damage.

This is precisely what Radiant Group is counting on—that the unique nature of children's data will make payment seem inevitable. Every organisation in the childcare sector should recognise that they could face similar pressure and prepare accordingly.

Government and Industry Response

The National Cyber Security Centre's involvement demonstrates recognition of the seriousness of this attack. However, the incident raises questions about whether more proactive measures are needed to protect the childcare sector specifically.

Potential responses could include:

• Mandatory minimum cybersecurity standards for childcare providers
• Government-funded security assessments for smaller providers
• Sector-specific guidance and training programmes
• Enhanced penalties for attacks targeting children's data
• International coordination to pursue groups like Radiant Group

Our View

The Kido attack represents a troubling milestone in the evolution of ransomware tactics. By deliberately targeting children's data and weaponising public sentiment, Radiant Group has shown that some criminals will pursue any tactic that might prove financially effective, regardless of the harm caused.

The question now is whether the cybersecurity community, law enforcement, and society more broadly will allow this to become the new normal. The response to this attack—both in terms of supporting Kido and affected families, and in pursuing the perpetrators—will help determine whether targeting children's data remains beyond the pale or becomes just another criminal tactic.

For organisations across all sectors, but particularly those serving vulnerable populations, the message is clear: comprehensive cybersecurity is not optional, and the consequences of inadequate protection extend far beyond technical system failures to genuine human harm.

The criminals who attacked Kido have shown they will stop at nothing to extract payment. The only effective response is defence so robust that the attack never succeeds in the first place.

Protect Your Organisation and Those You Serve

The Kido attack demonstrates that no sector is immune to sophisticated cyber threats, and organisations serving vulnerable populations face unique pressures when compromised. Don't wait for an attack to discover your vulnerabilities.

At Altiatech, our cybersecurity experts specialise in comprehensive security assessments and protection strategies tailored to your sector's specific needs. From credential management to incident response planning, we help organisations build resilient defences against today's most dangerous threats.

Secure your organisation. Contact our team for a confidential security consultation:

• Phone: +44 (0)330 332 5482
• Email: innovate@altiatech.com

Protect your data, your reputation, and those who trust you—before cybercriminals make that choice for you.