The international nursery chain Kido is facing an escalating cyber-extortion campaign after the hacking group “Radiant” stole sensitive data belonging to approximately 8,000 children. In a significant escalation reported on September 26, 2025, the criminals have threatened to publish 30 more detailed child profiles along with 100 employees’ private data if a ransom is not paid1. The group has already published a sample of 10 children’s profiles on a dark web site and has initiated a disturbing new tactic: directly contacting parents with threats1. This incident highlights a concerning evolution in ransomware tactics, moving beyond corporate targets to directly intimidate individuals associated with the victim organization.
The breach occurred through data hosted by a third-party software service called Famly, which is widely used by nurseries for management2. Kido International, which operates 18 nurseries in and around London with additional sites internationally, has confirmed the incident to authorities. The stolen data is extensive and highly sensitive, including children’s full names, genders, dates of birth, birthplaces, home addresses, photographs, and safeguarding notes. Information about parents and carers, including who the child lives with and contact details, was also compromised, along with data on approximately 100 employees2, 5. There is currently no indication that other customers of the Famly software platform are affected.
Extortion Tactics and the “Data Leakage Roadmap”
The Radiant group has implemented a multi-phase extortion strategy to pressure Kido into paying a ransom. The group published what they term a “data leakage roadmap,” explicitly outlining their threat to release 30 additional profiles per child and the complete dataset on 100 employees if their demands are not met1. This structured approach to data publication is designed to create sustained pressure over time. The hackers communicated with the BBC via Signal, stating they “weren’t asking for an enormous amount” and claimed they “deserve some compensation for our pentest,” referring to the attack as a penetration test1. The group’s fluency in English was noted, though they claimed it was not their first language.
Direct Contact with Parents: A New Level of Aggression
A particularly aggressive aspect of this attack is the hackers’ decision to contact parents directly. One mother received a threatening phone call where the hacker stated they would post her child’s information online unless she pressured Kido to pay the ransom1. This tactic of involving the victims’ clients or associates directly is rare and marks a significant escalation in cyber-extortion campaigns. The group admitted to hiring individuals to make these calls, indicating a level of organization beyond typical ransomware operations. When questioned about their motives, the hackers were blunt, stating, “We do it for money, not for anything other than money. I’m aware we are criminals. This isn’t my first time and will not be my last time”1.
Response from Authorities and Affected Organization
Kido has not issued a public statement or responded to media requests for comment, but the company has notified parents and is working with the relevant authorities2. The Metropolitan Police Cyber Crime Unit has confirmed that it has received a referral and that “enquiries are ongoing and remain in the early stages”1, 2. No arrests have been made at this time. The Information Commissioner’s Office (ICO) has also been notified, stating that “Kido International has reported an incident to us and we are assessing the information provided”2, 6. The ICO has the power to issue significant fines for data protection failures.
The attack has been condemned by cybersecurity experts. Graeme Stewart from Check Point described it as an “absolute new low” and “appalling,” stating, “To deliberately put children and schools in the firing line, is indefensible”2, 6. Jonathon Ellison from the National Cyber Security Centre called the reports “deeply distressing” and noted that “going after those who look after children is a particularly egregious act”2, 7. The incident is part of a broader wave of high-profile cyberattacks affecting UK organizations, including recent incidents at Jaguar Land Rover, Marks & Spencer, and the Co-op1, 2.
Relevance and Implications for Security Professionals
This case study demonstrates a critical shift in adversary behavior, moving beyond encryption and data theft to active harassment of associated individuals. For security teams, this underscores the importance of understanding the entire data supply chain, particularly the security posture of third-party vendors like Famly. The attackers’ use of a “roadmap” shows a calculated approach to maximizing psychological pressure on the victim organization. The direct contact with parents also illustrates that the impact of a data breach can extend far beyond the corporate network, creating real-world safety concerns that complicate incident response and negotiation strategies.
Organizations should review contracts and security assessments for critical third-party service providers that handle sensitive data. Incident response plans must be updated to include procedures for managing communications with affected individuals who may be contacted directly by threat actors. Furthermore, this incident highlights the need for robust data classification policies; sensitive data such as safeguarding notes on children should be subject to the highest levels of protection and access control. Monitoring for the exposure of corporate data on dark web leak sites is now a essential component of threat intelligence.
Conclusion
The attack on Kido nurseries by the Radiant group represents a disturbing development in the cyber threat landscape. The theft of children’s data and the subsequent direct threats to parents demonstrate a willingness by threat actors to exploit the most vulnerable targets to achieve their financial goals. The ongoing investigation by law enforcement will be closely watched, as will the regulatory response from the ICO. This incident serves as a stark reminder of the human cost of data breaches and the evolving tactics of cybercriminal groups. It reinforces the necessity for organizations, especially those handling sensitive personal data, to implement rigorous security measures and prepare for novel extortion techniques.
