Kido, a UK-based nursery business, was targeted by a hacking group named Radiant, which gained unauthorized access to the company’s systems after an initial access broker sold the entry point. The attackers published children’s personal data online, including sensitive profiles, sparking public outrage. While the hackers later deleted the stolen data following backlash, the breach exposed highly vulnerable information children’s details posing risks of identity theft, fraud, or further exploitation. The attack was opportunistic, leveraging common cybercrime tactics like phishing or credential theft, rather than a targeted campaign. The incident underscores the education sector’s vulnerability, particularly in organizations handling sensitive data with limited cybersecurity resources. The UK government’s broader data reveals that nine out of 10 higher education institutions and a majority of schools face similar threats, with ransomware and data breaches becoming systemic risks. Kido’s case highlights the reputational damage, emotional distress to families, and potential long-term trust erosion in institutional data protection.
TPRM report: https://www.rankiteo.com/company/kidousa
"id": "kid3192031100525",
"linkid": "kidousa",
"type": "Cyber Attack",
"date": "10/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Children and Families (Exact '
'Number Unspecified)',
'industry': 'Early Childhood Education',
'location': 'UK',
'name': 'Kido Nurseries',
'type': 'Private Nursery Business'},
{'customers_affected': 'Students and Staff (Exact '
'Number Unspecified)',
'industry': 'Public Education',
'location': 'West Lothian, UK',
'name': 'West Lothian Council (Education Network)',
'type': 'Local Government'},
{'industry': 'Education',
'location': 'Newcastle, UK',
'name': 'Newcastle University',
'type': 'Higher Education Institution'},
{'industry': 'Education',
'location': 'Manchester, UK',
'name': 'University of Manchester',
'type': 'Higher Education Institution'},
{'industry': 'Education',
'location': 'Wolverhampton, UK',
'name': 'University of Wolverhampton',
'type': 'Higher Education Institution'},
{'industry': 'Education',
'location': 'UK',
'name': 'UK Secondary Schools (60% Affected)',
'type': 'Educational Institutions'},
{'industry': 'Education',
'location': 'UK',
'name': 'UK Further Education Colleges (80% Affected)',
'type': 'Educational Institutions'},
{'industry': 'Education',
'location': 'UK',
'name': 'UK Higher Education Institutions (90% '
'Affected)',
'type': 'Educational Institutions'}],
'attack_vector': ['Phishing Emails',
'Initial Access Broker (IAB)',
'Ransomware Encryption'],
'customer_advisories': ['Kido Nurseries likely notified affected families; '
'specifics undisclosed.'],
'data_breach': {'data_encryption': ['Ransomware Encryption (West Lothian '
'Council, Universities)'],
'data_exfiltration': ['Confirmed (Kido Nurseries)',
'Likely (West Lothian Council, '
'Universities)'],
'personally_identifiable_information': ['Children’s Data '
'(Kido)',
'Student/Staff Data '
'(Universities)'],
'sensitivity_of_data': 'High (Includes Children’s PII)',
'type_of_data_compromised': ['Children’s Personal Profiles',
'Educational Records',
'Potentially Sensitive '
'Academic/Administrative Data']},
'date_publicly_disclosed': '2023-10',
'description': 'A series of cyber attacks targeted the UK education sector, '
'with a notable incident involving the nursery business Kido, '
'whose systems were breached by the hacking group Radiant '
'after an initial access broker sold access. The attackers '
'published children’s data online but later deleted it '
'following backlash. The broader education sector, including '
'schools and universities, faces frequent cyber threats, '
'primarily through phishing and ransomware attacks. Government '
'data indicates that 60% of secondary schools, 80% of further '
'education colleges, and 90% of higher education institutions '
'reported breaches or attacks in the past year. State schools '
'are particularly vulnerable due to funding pressures and lack '
'of expertise, while universities face risks from large, open '
'networks and cyber-illiterate students.',
'impact': {'brand_reputation_impact': ['Negative Publicity for Kido Nurseries',
'Erosion of Trust in Education Sector '
'Cybersecurity'],
'data_compromised': ['Children’s Profiles (Kido Nurseries)',
'School/University Data (West Lothian '
'Council, Newcastle University, University of '
'Manchester, University of Wolverhampton)'],
'identity_theft_risk': ['High (Children’s Data Exposed)'],
'operational_impact': ['Disruption to Educational Services',
'Data Publication Online (Later Deleted)',
'Potential Long-Term Trust Erosion'],
'systems_affected': ['Kido Nurseries’ IT Systems',
'West Lothian Council’s Education Network',
'Universities’ Academic Networks']},
'initial_access_broker': {'backdoors_established': 'Likely (Standard IAB '
'Practice)',
'data_sold_on_dark_web': 'Likely (Initial Access to '
'Kido Sold to Radiant)',
'entry_point': 'Unspecified Vulnerability in Kido’s '
'Systems',
'high_value_targets': ['Children’s Data (Kido)',
'Academic/Administrative '
'Data (Universities)']},
'investigation_status': 'Ongoing (Government and Institutional Responses)',
'lessons_learned': ['Education sector is a high-risk target due to '
'opportunistic cybercrime and systemic vulnerabilities '
'(funding, expertise, open networks).',
'Phishing remains the most common attack vector, '
'highlighting the need for staff/student cybersecurity '
'training.',
'Initial access brokers play a key role in facilitating '
'attacks on less-secure targets like nurseries.',
'Public backlash can influence attacker behavior (e.g., '
'data deletion post-outcry).',
'Government support (training, incident response teams) '
'is critical but may require additional funding to scale '
'effectively.'],
'motivation': ['Financial Gain (Ransomware)',
'Opportunistic Targeting',
'Data Theft for Dark Web Sale'],
'post_incident_analysis': {'corrective_actions': ['Government-proposed '
'ransomware payment ban for '
'public sector entities.',
'DfE/NCSC free training '
'programs for school staff.',
'Dedicated cyber incident '
'response team for schools '
'(DfE).',
'Public awareness campaigns '
'about phishing risks.',
'Potential future funding '
'increases for school '
'cybersecurity (advocated '
'by NAHT).'],
'root_causes': ['Systemic underfunding of '
'cybersecurity in state schools.',
'Lack of specialized cybersecurity '
'staff in education institutions.',
'Overly permissive network access '
'in universities (designed for '
'academic collaboration).',
'Low cybersecurity awareness among '
'students and staff.',
'Opportunistic targeting by '
'cybercriminals exploiting '
"'dragnet' attacks."]},
'ransomware': {'data_encryption': ['Confirmed (West Lothian Council, '
'Universities)'],
'data_exfiltration': ['Confirmed (Kido, West Lothian Council, '
'Universities)'],
'ransom_paid': ['None (Kido Data Deleted Post-Backlash)',
'Proposed UK Ban on Ransom Payments for '
'Schools/NHS/Councils']},
'recommendations': ['Increase cybersecurity funding for state schools to '
'address expertise and resource gaps.',
'Expand mandatory cybersecurity training for students and '
'staff in all education sectors.',
'Implement stricter access controls and network '
'segmentation in universities to limit lateral movement.',
'Accelerate the proposed ban on ransomware payments for '
'public sector entities to disincentivize attacks.',
'Enhance collaboration between education institutions and '
'the NCSC for threat intelligence sharing.',
'Conduct regular penetration testing and red team '
'exercises to identify vulnerabilities proactively.'],
'references': [{'source': 'BBC News'},
{'source': 'UK Government Cyber Security Breaches Survey 2023'},
{'source': 'Darktrace Threat Analysis (Toby Lewis)'},
{'source': 'Department for Education (DfE) Statement'}],
'regulatory_compliance': {'regulatory_notifications': ['Likely Notifications '
'to UK Data Protection '
'Authorities '
'(Unspecified)']},
'response': {'communication_strategy': ['Public Disclosure of Kido Breach',
'Government Awareness Initiatives'],
'containment_measures': ['Data Deletion by Attackers (Kido)',
'Government-Proposed Ransomware Payment '
'Ban'],
'incident_response_plan_activated': ['Kido Nurseries '
'(Post-Breach Data '
'Deletion)',
'West Lothian Council '
'(Unspecified)',
'Universities '
'(Unspecified)'],
'remediation_measures': ['Free Cybersecurity Training for School '
'Staff (DfE/NCSC)',
'Dedicated Cyber Incident Response Team '
'(DfE)'],
'third_party_assistance': ['UK National Cyber Security Centre '
'(NCSC) Support for Schools']},
'stakeholder_advisories': ['UK Association of School and College Leaders '
"(Pepe Di’lasio): Warned of ransomware as a 'major "
"risk.'",
'National Association of Head Teachers (James '
'Bowen): Called for additional government funding '
'for cyber threat response.',
'Department for Education: Emphasized existing '
'support (training, incident response teams) and '
'seriousness of threats.'],
'threat_actor': ['Radiant (Hacking Group)',
'Unnamed Initial Access Broker(s)'],
'title': 'Cyber Attacks on UK Education Sector, Including Kido Nurseries Hack '
'by Radiant Group',
'type': ['Data Breach', 'Ransomware', 'Phishing'],
'vulnerability_exploited': ['Lack of Cybersecurity Expertise',
'Funding Pressures in State Schools',
'Open Academic Networks in Universities',
'Cyber-Illiterate Student Population']}