When Cybercriminals Target Our Children: The Kido International Ransomware Attack

Breached Company

Breached Company

7 min read
When Cybercriminals Target Our Children: The Kido International Ransomware Attack

A Wake-Up Call for Organizations Handling Family Data

On September 25, 2025, parents across London woke to a nightmare scenario that no family should ever face: their children's photographs, names, home addresses, and sensitive personal information had been stolen by cybercriminals and posted on the dark web. The attack on Kido International, a respected nursery chain operating 18 sites across the UK, marks a disturbing new low in the ransomware landscape—one that has sent shockwaves through the education sector and beyond.

The Attack: A Timeline of Events

The breach came to light in late September 2025 when a previously unknown ransomware group calling itself "Radiant" claimed responsibility for infiltrating Kido International's systems. What followed was a calculated campaign of psychological warfare designed to maximize pressure on the organization.

The Stolen Data:

  • Personal information on approximately 8,000 children
  • Full names, photographs, and dates of birth
  • Home addresses and birthplaces
  • Parents' and carers' contact details
  • Safeguarding notes and medical records
  • Accident reports and medication information
  • Billing and financial information
  • Personal data on roughly 100 employees, including National Insurance numbers

The Escalating Threats:

On September 24, Radiant posted its first "proof of breach," publishing profiles of 10 children on its dark web site. By September 26, another 10 children's profiles had been released. The group then outlined a chilling "data leakage roadmap," threatening to release 30 additional child profiles and the complete personal data of 100 employees unless their ransom demands were met.

The Unthinkable Tactic: Contacting Parents Directly

What sets this attack apart from typical ransomware incidents is the criminals' decision to contact parents directly—a particularly aggressive escalation that cybersecurity experts have condemned as crossing an ethical line.

One mother reported receiving a threatening phone call from the attackers, who told her they would post her child's information online unless she pressured Kido to pay the ransom. The group later admitted to hiring individuals to make these calls, revealing a level of organization and psychological manipulation that goes beyond standard ransomware tactics.

In conversations with media outlets, the Radiant group defended their actions, claiming they deserved "compensation for our pentest" (penetration test). When challenged about the morality of targeting children, they were blunt: "We do it for money, not for anything other than money. I'm aware we are criminals."

The Investigation and Response

Law Enforcement:
The Metropolitan Police received a referral on September 25 and confirmed that enquiries are ongoing through their Cyber Crime Unit. As of now, no arrests have been made, and the investigation remains in its early stages.

Regulatory Bodies:
The Information Commissioner's Office (ICO), the UK's data protection watchdog, is assessing the incident. Under UK data protection laws, organizations can face significant fines for failing to adequately protect personal information.

The Victim's Response:
Kido has contacted affected families but has not issued a comprehensive public statement. In an internal email, Kido UK's Chief Executive Catherine Stoneman linked the breach to "two third-party systems used to process certain data," noting the company is treating the incident "with the highest priority."

One third-party vendor, Famly (a widely-used nursery management platform), has conducted a thorough investigation and confirmed that its systems were not breached and no other customers were affected.

Expert Reactions: A "New Low"

The cybersecurity community has responded with uncharacteristic emotion to this attack, with many describing it as one of the most reprehensible incidents they've witnessed.

Jonathon Ellison, NCSC Director for National Resilience, stated: "The reports of highly sensitive data being stolen in a cyber incident impacting nurseries are deeply distressing. Cyber criminals will target anyone if they think there is money to be made, and going after those who look after children is a particularly egregious act."

Graeme Stewart from Check Point described the attack as "an absolute new low" and "appalling," adding: "To deliberately put children and schools in the firing line is indefensible."

Dray Agha, Senior Manager of Security Operations at Huntress, said: "This represents a reprehensible erosion of any remaining boundaries in the cybercriminal ecosystem. By weaponizing the personal data of infants and toddlers, this group has sunk to a depth that even other threat actors may condemn."

Rebecca Moody, Head of Data Research at Comparitech, noted: "We've seen some low claims from ransomware gangs before, but this feels like an entirely different level."

Who Is Radiant?

Very little is known about the Radiant ransomware group. This appears to be their first major attack, with Kido International being the only victim on their bare-bones dark web site. Key observations:

  • The group claims to be based in Russia, though this remains unverified
  • They appear to be fluent in English, though it may not be their first language
  • No established threat intelligence groups or cybersecurity researchers had profiled them before this attack
  • Their dark web site previously contained an "About" section stating they were a financially motivated operation engaging in double-extortion attacks without affiliates—this section was later deleted
  • Following media backlash, they announced they would blur children's faces in future leaks but would continue releasing data

The group's ransom demand is reportedly around 1.5% of a company's annual revenue. As of the latest reports, no ransom has been paid.

The Third-Party Problem

This incident highlights a critical vulnerability in modern data management: the third-party software ecosystem. Early reports suggest the breach may have occurred through third-party systems used by Kido for parent communication apps and management platforms.

This is not an isolated problem. Organizations increasingly rely on external vendors for critical functions, creating an expanded attack surface that can be difficult to monitor and secure. Each vendor represents a potential entry point for attackers, and the responsibility for vetting, monitoring, and securing these relationships often falls through the cracks.

What This Means for Organizations Handling Family Data

The Kido attack should serve as an urgent wake-up call for any organization that holds sensitive information about children and families. Here are the critical takeaways:

1. Implement Least Privilege Access

Not everyone needs access to all data. Strictly limit who can view sensitive information about children and families, and regularly audit access permissions. If a system is compromised, limited access can contain the damage.

2. Conduct Immediate Vendor Security Reviews

  • Identify all third-party systems that have access to sensitive data
  • Request recent security audits and penetration test results
  • Review data processing agreements and security clauses
  • Assess vendor response capabilities in the event of a breach
  • Consider data minimization: does each vendor really need all the data they're getting?

3. Establish Crisis-Ready Communications

Have a response plan that prioritizes protecting families:

  • Templates for rapid notification to affected families
  • Clear guidance on what families should do if their data is compromised
  • Dedicated support channels for concerned parents
  • Coordination with law enforcement and regulatory bodies
  • Public relations strategy that emphasizes transparency and accountability

4. Schedule Regular Independent Security Audits

Annual or bi-annual third-party security assessments are not optional—they're essential. These should include:

  • Penetration testing of all systems that store or process family data
  • Social engineering tests to identify staff vulnerabilities
  • Review of backup and recovery procedures
  • Assessment of incident response capabilities

5. Ask the Hard Questions

  • Who can access what data, and when was this last reviewed?
  • When was our last independent security audit?
  • What would happen if our primary vendor were breached?
  • Do we have a tested incident response plan?
  • Are our staff trained to recognize phishing and social engineering attempts?
  • Have we minimized the data we collect and retain?

6. Stop Treating Child Data as Inventory

Children's personal information is not just another data point. It represents real people who cannot consent to data collection and who face unique vulnerabilities if their information is exposed. Organizations must elevate the protection of children's data to the highest priority level.

The Broader Context: Rising Attacks on Education

The Kido incident is unfortunately part of a broader trend. The education sector has become an increasingly attractive target for cybercriminals due to:

  • Limited resources: Schools and nurseries often lack dedicated IT security staff and budgets
  • Valuable data: Student records, financial information, and family data are valuable on criminal markets
  • Emotional leverage: Attacks on educational institutions create immense pressure due to concerns about child safety
  • Soft targets: Security practices may not be as mature as in corporate environments

Recent months have seen attacks on the Harris Federation schools in London, and major incidents affecting retailers and healthcare providers. The UK government is moving to ban public sector bodies from paying ransoms, though private organizations like Kido are not covered by this ban—they will, however, be required to notify the government of any intent to pay.

Protecting Your Family's Data

For parents whose children attend nurseries, schools, or other organizations that collect family data:

  • Ask about security practices: Don't hesitate to inquire about how your child's data is protected
  • Review privacy policies: Understand what data is collected, how it's stored, and who has access
  • Advocate for minimal collection: Question whether all requested information is truly necessary
  • Monitor for signs of compromise: Watch for unusual communications or activity related to your child's accounts
  • Enable alerts: Set up identity monitoring if available to catch potential misuse of your family's information

A Moral Reckoning

The Radiant group's attack on Kido International forces us to confront uncomfortable questions about the state of cybersecurity and the ethics of modern cybercrime. When criminals are willing to weaponize photographs of toddlers and threaten parents directly, we've entered territory that demands a response beyond traditional security measures.

This is not just about better firewalls or more frequent security audits—though those are certainly needed. It's about recognizing that some data is not just commercially sensitive; it's deeply personal and involves our most vulnerable population.

Organizations that handle children's information must treat that responsibility with the gravity it deserves. Anything less is not just a security failure—it's a moral failure.

Moving Forward

The investigation into the Kido attack continues, and many questions remain unanswered. But the lessons are already clear:

For organizations: The time to act is now. Review your security posture, audit your vendors, and prioritize the protection of children's data above cost considerations or convenience.

For parents: Stay informed, ask questions, and hold organizations accountable for protecting your family's information.

For policymakers: Consider whether current regulations adequately protect children's data and whether the penalties for failures are sufficient to drive meaningful change.

The Kido International attack is a watershed moment. It represents the crossing of a line that most in the cybersecurity community hoped would remain uncrossed. How we respond—as organizations, parents, and a society—will determine whether this becomes a cautionary tale that drove positive change, or the first of many similar nightmares to come.

The investigation remains ongoing. Organizations concerned about their security posture or parents seeking guidance on protecting their family's data should consult with cybersecurity professionals and relevant authorities.

Sources: BBC News, ITV News, CNN, Cybernews, The Register, Malwarebytes, SC Media, The Guardian, Sky News, Check Point Research, and other cybersecurity industry outlets.

Read more