Nursery schools ransomware attack exposes 8K kids| Cybernews

children, preschool, kindergarten, nursery school — Image by Better Photos | Shutterstock

Kido Schools, a London-based nursery school chain, has been hit by ransomware – and now the hackers claiming responsibility for the attack have begun leaking stolen images and other sensitive information belonging to the alleged 8,000 preschoolers, exposing them on the dark web.

A new ransomware group, Radiant, hacked London-based Kido Schools, leaking sensitive data on 8,000 children and staff.
Leaked data includes kids' photos, personal details, and employee records; hackers reportedly emailed at least one parent.
The group claims it's based in Russia and has been inside Kido’s systems for weeks, only leaking the data after failed ransom talks.

In what appears to be a new low, even for cybercriminals, a never-before-seen ransomware group, calling itself Radiant, posted the Kido International Nurseries & Preschool group on its dark leak site late Wednesday.

“We currently possess sensitive data on over 8000+ children + their relatives, grandparents, aunties, uncles, parents. (Everyone!) + all employees and company data,” the group writes on its blog.

Although the preschool conglomerate boasts a network of three dozen locations worldwide serving more than 15,000 families, including in the US, India, and China, the hackers appear to have only targeted Kido schools in the UK.

Listed as one of Britain's top-rated nursery chains, Kido has a total of 19 preschools for kids in the Greater London area, according to its website. Children attending Kido Schools are said to range from 8 months to 6 years old.

Radiant ransomware attack Kido Schools - leak post — Radiant leak site. Image by Cybernews.

Kido is said to have notified the proper authorities, as well as all parents, but has not yet made a public statement.

"Enquiries are ongoing and remain in the early stages within the Met’s Cyber Crime Unit," London's Metropolitan Police said in a statement about the incident.

Massive leak of sensitive data

Radiant said it began posting sample profiles of the alleged child victims after negotiations had broken down between the group and the school.

“ALL UK based nurseries were affected (18 in total) We have added 10 new profiles and 1 screenshot of 50 employees PII. More is coming soon,” the blog states.

So far, the gang has posted the profiles of 20 children; each profile containing a close-up image of the child’s face, full name, gender, and date of birth.

Radiant ransomware attack Kido Schools - kids sample — Radiant leak site. Image by Cybernews.

Cybernews can also confirm that once the profile is opened, a cache of more sensitive information is revealed, including birthplace, who the child resides with, parents' names, parents’ place of work, plus their telephone numbers and email addresses.

Additionally, the children's profiles identify the names of grandparents and other relatives or caretakers – some even listing neighbors – and their phone numbers.

On Friday, Radiant added what appears to be a stolen database of Kido’s UK employees, also containing a plethora of personal information, and threatened that there was "more to come."

The BBC reported that the hackers sent an mail to at leat one of the parents, but did not say what was in the email, just that there was no spelling mistakes, unlike the leak site.

The databse shown includes the employee’s name, gender, date of birth, full address, email address, unique worker ID, National Insurance (NI) number, and the employee’s start date.

Radiant ransomware attack Kido Schools - employees sample — Radiant leak site. Image by Cybernews.

Radiant has lots to say

The BBC, which Radiant had allegedly contacted over an encrypted messaging service on Thursday, reported that the ransomware actor said it had been inside Kido's networks for weeks.

The hackers also told the news outlet they were located in Russia, although did not provide any evidence.

Besides stealing the private information of children and employees, Radiant further claims it has also exfiltrated “accident reports, safeguarding reports, billing, and bulk," but is safeguarding the information, “giving kido a chance” to cooperate.

This is despite Radiant’s claims that it had offered to discount Kido’s ransom demand multiple times and keep the preschools’ name out of the press in exchange for complying with the ransomware group’s requests.

“Kido is a completely careless company who baited us into a long and painful dialog only for them to ignore our latest messages,” the group said, slamming the nursery chain.

“Kido should of been much more careful with their upmost sensitive data, and we shouldve received compensation for our pentest on Kido Internationals network,” it wrote in grammatically incorrect English.

Don't miss our latest stories on Google News

Radiant, has also encouraged Kido parents to file suit against the nursery through a website called “Join the Claim.”

The seemingly legitimate website, ironically, has open claims for victims of both British retail hacks on Marks & Spencer and Co-op, carried out this spring by the Scattered Spider ransomware group. As of August, more than 10,000 victims have signed onto the M&S claim, it reports.

Cybernews points out that Kido Schools is the only victim appearing on Radiant's barebones onion site, which is also devoid of an official logo for the group. Furthermore, as far as Cybernews can tell, no threat intelligence group or cybersecurity researcher has profiled the fledgling ransomware group.

Unlock more exclusive Cybernews content on YouTube.