Kido, a UK-based nursery business, fell victim to a targeted cyber attack by a hacking group known as Radiant. The attackers gained access to Kido’s systems after an initial access broker sold their network credentials, a common tactic in cybercrime. The hackers subsequently stole and published children’s personal data online, including sensitive profiles, sparking public outrage. While the group later deleted the stolen data following backlash, the breach exposed severe vulnerabilities in the education sector’s cybersecurity defenses. The incident underscored the growing threat to organizations handling minors’ data, where even opportunistic attacks can lead to reputational damage, legal risks, and emotional distress for affected families. The attack also highlighted broader systemic issues, such as underfunded security measures in educational institutions, which are increasingly targeted due to weak defenses and high-value data. Government responses, including potential bans on ransomware payments, aim to mitigate future risks, but the sector remains a prime target for cybercriminals exploiting gaps in protection.
TPRM report: https://www.rankiteo.com/company/kidoed
"id": "kid2592025100525",
"linkid": "kidoed",
"type": "Cyber Attack",
"date": "10/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'Children and families (number '
'unspecified)',
'industry': 'Early Childhood Education',
'location': 'UK',
'name': 'Kido Nurseries',
'type': 'Private Nursery Business'},
{'customers_affected': 'Schools and students (number '
'unspecified)',
'industry': 'Public Education',
'location': 'West Lothian, UK',
'name': 'West Lothian Council',
'type': 'Local Government'},
{'customers_affected': 'Students and staff (number '
'unspecified)',
'industry': 'Education',
'location': 'Newcastle, UK',
'name': 'Newcastle University',
'type': 'Higher Education Institution'},
{'customers_affected': 'Students and staff (number '
'unspecified)',
'industry': 'Education',
'location': 'Manchester, UK',
'name': 'University of Manchester',
'type': 'Higher Education Institution'},
{'customers_affected': 'Students and staff (number '
'unspecified)',
'industry': 'Education',
'location': 'Wolverhampton, UK',
'name': 'University of Wolverhampton',
'type': 'Higher Education Institution'},
{'customers_affected': 'Students and staff (number '
'unspecified)',
'industry': 'Education',
'location': 'UK-wide',
'name': 'UK Secondary Schools (60% affected)',
'type': 'Public/Private Schools'},
{'customers_affected': 'Students and staff (number '
'unspecified)',
'industry': 'Education',
'location': 'UK-wide',
'name': 'UK Further Education Colleges (80% affected)',
'type': 'Further Education'},
{'customers_affected': 'Students and staff (number '
'unspecified)',
'industry': 'Education',
'location': 'UK-wide',
'name': 'UK Higher Education Institutions (90% '
'affected)',
'type': 'Universities'}],
'attack_vector': ['Phishing Emails',
'Initial Access Broker (IAB)',
'Ransomware'],
'customer_advisories': ['Kido: Informed families of data breach and '
'subsequent deletion by hackers.',
'Affected universities/schools: Likely notified '
'students/staff of breaches (details unspecified).'],
'data_breach': {'data_encryption': ['Confirmed (ransomware attacks)'],
'data_exfiltration': ['Confirmed (Kido, West Lothian Council, '
'universities)'],
'personally_identifiable_information': ['Children’s profiles '
'(Kido)',
'Student/staff '
'identities '
'(universities)'],
'sensitivity_of_data': ['High (children’s PII)',
'Moderate (student/staff records)'],
'type_of_data_compromised': ['Children’s profiles',
'Student records',
'Staff data',
'Academic/research data '
'(universities)']},
'date_publicly_disclosed': '2023-10',
'description': 'Hackers targeted UK nurseries (specifically Kido) and the '
'broader education sector, including schools and universities, '
'with phishing and ransomware attacks. The Kido nursery attack '
'involved an initial access broker selling system access to '
'the Radiant hacking group, which published children’s data '
'online before deleting it due to backlash. The education '
'sector, including secondary schools, further education '
'colleges, and higher education institutions, faces frequent '
'cyber threats, often due to opportunistic targeting, funding '
'constraints, and lack of cybersecurity expertise. Ransomware '
'attacks have disrupted institutions like West Lothian '
'Council, Newcastle University, the University of Manchester, '
'and the University of Wolverhampton. The UK government is '
'considering banning ransomware payments for schools, the NHS, '
'and local councils to deter attackers.',
'impact': {'brand_reputation_impact': ['Damage to trust in Kido and affected '
'institutions',
'Negative publicity for education '
'sector cybersecurity'],
'customer_complaints': ['Backlash against Kido hackers for '
'publishing children’s data'],
'data_compromised': ['Children’s profiles (Kido)',
'School/University data (unspecified)',
'Student/Staff records'],
'identity_theft_risk': ['High (children’s data exposed)'],
'operational_impact': ['Disruption to education services',
'Data exposure',
'System encryption (ransomware)'],
'systems_affected': ['Kido nursery IT systems',
'West Lothian Council education network',
'Newcastle University systems',
'University of Manchester systems',
'University of Wolverhampton systems']},
'initial_access_broker': {'data_sold_on_dark_web': 'Confirmed (access to '
'Kido’s systems sold to '
'Radiant)',
'entry_point': 'Sold access to Kido’s systems '
'(method unspecified)',
'high_value_targets': ['Kido nursery data',
'Education sector IT '
'systems']},
'investigation_status': 'Ongoing (government and institutional responses '
'active; no closure reported)',
'lessons_learned': ['Education sector is a high-risk target due to '
'opportunistic attacks and systemic vulnerabilities '
'(funding, expertise, open networks).',
'Phishing remains the most common attack vector; '
'staff/student cybersecurity training is critical.',
'Initial access brokers play a key role in facilitating '
'attacks on smaller entities like nurseries.',
'Public backlash can influence hacker behavior (e.g., '
'Kido data deletion).',
'Government support (e.g., NCSC training, DfE response '
'teams) is essential but may need expansion.'],
'motivation': ['Financial gain (ransomware)', 'Data theft/sale', 'Disruption'],
'post_incident_analysis': {'corrective_actions': ['Government-proposed ban on '
'ransomware payments for '
'public sector entities.',
'Expanded NCSC training and '
'DfE support for schools.',
'Heightened awareness of '
'phishing/ransomware risks '
'in education.',
'Potential policy changes '
'to mandate cybersecurity '
'standards for '
'schools/universities.'],
'root_causes': ['Opportunistic targeting of '
'vulnerable sectors (education).',
'Lack of cybersecurity '
'funding/expertise in schools.',
'Student/staff cybersecurity '
'illiteracy.',
'Open academic networks '
'prioritizing collaboration over '
'security.',
'Initial access brokers exploiting '
'weak entry points.']},
'ransomware': {'data_encryption': ['Confirmed (West Lothian Council, '
'universities)'],
'data_exfiltration': ['Confirmed (double extortion tactics)']},
'recommendations': ['Increase funding for cybersecurity in schools and '
'universities.',
'Mandate regular cybersecurity training for staff and '
'students.',
'Implement stricter access controls and network '
'segmentation in academic environments.',
'Expand government initiatives like free NCSC training '
'and incident response teams.',
'Prohibit ransomware payments to discourage attacks (as '
'proposed by UK government).',
'Enhance monitoring for initial access broker activity in '
'the education sector.'],
'references': [{'source': 'BBC News'},
{'source': 'UK Government Cyber Security Breaches Survey 2023'},
{'source': 'Darktrace (Toby Lewis, Global Head of Threat '
'Analysis)'},
{'source': 'Department for Education (DfE) Statement'}],
'regulatory_compliance': {'regulatory_notifications': ['Potential UK '
'government ban on '
'ransomware payments '
'for '
'schools/NHS/councils']},
'response': {'communication_strategy': ['Public disclosure of incidents',
'Government statements on support '
'measures'],
'containment_measures': ['Data deletion by hackers (Kido)',
'System recovery (unspecified for other '
'entities)'],
'incident_response_plan_activated': ['Kido (post-breach data '
'deletion)',
'West Lothian Council '
'(unspecified)',
'Universities '
'(unspecified)'],
'remediation_measures': ['Government cybersecurity training for '
'school staff',
'Dedicated DfE cyber incident response '
'team'],
'third_party_assistance': ['Darktrace (threat analysis)',
'UK National Cyber Security Centre '
'(NCSC)']},
'stakeholder_advisories': ['UK Association of School and College Leaders '
"(Pepe Di’lasio): Warned of ransomware as a 'major "
"risk'.",
'National Association of Head Teachers (James '
'Bowen): Called for additional government funding '
'for cyber threat response.',
'DfE: Emphasized existing support (NCSC training, '
'incident response teams) and seriousness of cyber '
'threats.'],
'threat_actor': ['Radiant (hacking group)',
'Initial Access Broker (unspecified)',
'Opportunistic cybercriminals'],
'title': 'Cyber Attacks on UK Nurseries and Broader Education Sector',
'type': ['Data Breach', 'Ransomware Attack', 'Phishing'],
'vulnerability_exploited': ['Lack of cybersecurity expertise',
'Funding constraints',
'Opportunistic targeting',
'Student cybersecurity illiteracy',
'Open academic networks']}