The Kido nursery chain suffered a severe ransomware attack executed by the Radiant group, compromising sensitive data of approximately 8,000 children and their families. The stolen information included names, home addresses, photographs, parent/carer contact details, confidential medical records, and safeguarding notes accessed via a breach in Famly, a third-party software provider used by the nursery. The attackers demanded £600,000 in Bitcoin, directly contacted parents to escalate pressure, and leaked some children’s photos on the dark web before retreating due to backlash, claiming deletion of all stolen data. The incident led to the arrest of two 17-year-old suspects by the UK Metropolitan Police’s Cyber Crime Unit. The attack highlights the education sector’s vulnerability, where limited IT funding and phishing exploits (e.g., Remcos RAT) make institutions prime targets. The breach’s use of children’s data for extortion was condemned as an unprecedented low in cybercrime, elevating data protection to a critical safety priority.
Source: https://hackread.com/uk-police-arrest-teens-kido-nursery-ransomware-attack/
TPRM report: https://www.rankiteo.com/company/kido-cloud
"id": "kid0792107100825",
"linkid": "kido-cloud",
"type": "Ransomware",
"date": "10/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '8,000 children and families',
'industry': 'Early Childhood Education',
'location': 'UK',
'name': 'Kido Nursery Chain',
'type': 'Private Education Provider'},
{'industry': 'Education Technology',
'name': 'Famly',
'type': 'Software Provider'}],
'attack_vector': ['third-party software vulnerability (Famly)',
'phishing (potential initial access)'],
'customer_advisories': 'Parents likely notified (details unspecified)',
'data_breach': {'data_encryption': 'Likely (ransomware attack)',
'data_exfiltration': 'Yes (posted samples on dark web, later '
'claimed deleted)',
'file_types_exposed': ['databases', 'images', 'documents'],
'number_of_records_exposed': '8,000',
'personally_identifiable_information': 'Yes (names, '
'addresses, contact '
'details, medical '
'records)',
'sensitivity_of_data': "Extremely High (children's personal "
'and medical data)',
'type_of_data_compromised': ['PII',
'medical records',
'safeguarding notes',
'photographs']},
'date_detected': '2025-09-25',
'date_publicly_disclosed': '2025-09-25',
'description': 'The UK Metropolitan Police arrested two 17-year-old boys in '
'connection with a ransomware attack on the Kido nursery '
'chain, which compromised sensitive data of approximately '
'8,000 children and their families. The Radiant ransomware '
'group stole data including names, addresses, photographs, '
'medical records, and safeguarding notes via a third-party '
'software (Famly). The group demanded £600,000 in Bitcoin, '
'contacted parents directly, and posted children’s photos on '
'the dark web before deleting the data following backlash.',
'impact': {'brand_reputation_impact': "Severe (children's data exposed, "
'public backlash)',
'customer_complaints': 'Likely (parents contacted directly by '
'attackers)',
'data_compromised': ['names',
'home addresses',
'photographs',
'parent/carer contact details',
'medical records',
'safeguarding notes'],
'identity_theft_risk': 'High (PII and medical records exposed)',
'legal_liabilities': 'Potential (GDPR violations, child data '
'protection laws)',
'operational_impact': 'High (extortion campaign, direct parent '
'contact, dark web data exposure)',
'systems_affected': ['Famly software',
'Kido nursery chain databases']},
'initial_access_broker': {'data_sold_on_dark_web': 'Partially (sample photos '
'posted, later deleted)',
'entry_point': 'Third-party software (Famly)',
'high_value_targets': "Children's medical and "
'safeguarding data'},
'investigation_status': 'Ongoing (two suspects in custody as of 2025-10-07)',
'lessons_learned': 'The incident highlights critical vulnerabilities in the '
'education sector, particularly with third-party software '
'dependencies and the extreme risks of child data '
'exposure. Proactive cybersecurity measures, including '
'vendor risk assessments and phishing defenses, are '
'essential.',
'motivation': ['financial gain', 'extortion'],
'post_incident_analysis': {'root_causes': ['Third-party software '
'vulnerability (Famly)',
'Likely phishing or credential '
'compromise (initial access method '
'unspecified)',
'Insufficient cybersecurity '
'funding in education sector']},
'ransomware': {'data_encryption': 'Likely',
'data_exfiltration': 'Yes',
'ransom_demanded': '£600,000 (in Bitcoin)',
'ransom_paid': 'No (attackers retreated due to backlash)',
'ransomware_strain': 'Radiant'},
'recommendations': ['Conduct third-party software security audits (e.g., '
'Famly)',
'Implement multi-factor authentication and zero-trust '
'architectures',
'Enhance phishing awareness training for staff',
'Establish incident response plans specific to child data '
'breaches',
'Advocate for increased IT funding in education sectors'],
'references': [{'source': 'BBC News'},
{'source': 'Metropolitan Police Press Release'},
{'source': 'Check Point Research'},
{'source': 'Hackread (AtlastVPN/Sophos report)'}],
'regulatory_compliance': {'legal_actions': 'Ongoing (police investigation, '
'potential charges for computer '
'misuse and blackmail)',
'regulations_violated': ['UK GDPR',
'Data Protection Act 2018',
"Children's data "
'protection laws']},
'response': {'communication_strategy': ['Public statements by Met Police and '
'Kido',
'Parent notifications (implied)'],
'containment_measures': ['Radiant group deleted stolen data '
'(self-reported)',
'Police custody of suspects'],
'incident_response_plan_activated': 'Yes (Metropolitan Police '
'Cyber Crime Unit '
'investigation)',
'law_enforcement_notified': 'Yes (Metropolitan Police, arrests '
'made on 2025-10-07)'},
'stakeholder_advisories': ['Met Police reassurance statement',
'Kido nursery group statement welcoming arrests'],
'threat_actor': 'Radiant ransomware group',
'title': "Ransomware Attack on Kido Nursery Chain Compromising Children's "
'Data',
'type': ['ransomware', 'data breach', 'extortion'],
'vulnerability_exploited': 'Third-party software (Famly) used by Kido nursery '
'chain'}