Recently, one of the most disturbing cyber incidents in the UK has emerged: Hackers have stolen and leaked highly sensitive data from Kido International, a global nursery chain with 18 UK sites and dozens more across the US, India and China.

The attackers, who call themselves Radiant, claim to have stolen the personal information of around 8,000 children, including photographs, names, addresses, dates of birth and even safeguarding notes. Equally concerning, they also claim to hold data about parents, carers, and staff.

Already, profiles of at least 20 children have appeared on the dark web, alongside threats to publish even more unless Kido pays a ransom. Parents have even reported receiving direct calls and emails from the criminals in an attempt to exert pressure on the nursery group. This is, as one cyber security expert bluntly put it, “a new low.”

Why is this attack so disturbing?

While ransomware attacks on hospitals, businesses and public services are sadly becoming common, the targeting of children’s data crosses an ethical line that shocks even seasoned cyber security experts. Children are innocent victims. As one parent put it, “Their personal details shouldn’t be worth anything.” 

Yet hackers still see value in exploiting them. 

The data at stake is also far more sensitive than financial information. Unlike credit card details, which can be cancelled or replaced, photographs, addresses and safeguarding notes are deeply personal and potentially dangerous if misused. To make matters worse, parents and carers are being directly threatened. The group behind the attack has reached out to families, creating not only data risks but also genuine psychological distress.

Jonathan Ellison, Director at the UK’s National Cyber Security Centre (NCSC), summed it up as “deeply distressing,” noting that cyber criminals will target anyone they believe has the means to pay, even those responsible for the care and protection of children.

Ransomware on the rise

This attack on Kido is not an isolated event. It sits within a growing global wave of ransomware incidents affecting hospitals, schools, local governments and major corporations. Recent victims include Jaguar Land Rover, M&S and the Co-op.

The criminals’ tactics are clear: Steal or lock down critical data, then demand money for its release. Paying, however, is strongly discouraged by police and cyber security experts, since it only fuels the cycle of attacks and offers no guarantee that stolen data will truly be deleted.

Could this have been prevented?

While no system is ever 100% secure, many ransomware attacks succeed because of avoidable weaknesses. In the Kido case, one parent noted that they would rather the nursery school chain had been using some sort of encryption software.

Steps that all organisations handling sensitive data should take now include:

• Data encryption. Ensures that even if data is stolen, it cannot easily be read or used 
• Regular backups. Maintains secure, offline backups of systems and data to reduce disruption in case of attack 
• Multi-factor authentication (MFA). Makes it harder for attackers to gain access using stolen passwords 
• Staff training. Human error is often the weakest link. Teaching staff to spot phishing emails or suspicious activity is essential 
• Timely patching. Many breaches exploit outdated software or unpatched vulnerabilities 
• Incident response planning.  Having a clear plan for containment, communication, and recovery often is the difference between chaos and control 

The NCSC offers specific guidance for early years providers, recognizing that nurseries and schools are increasingly in the crosshairs of cyber criminals.

Cyber security matters now more than ever

The Kido breach highlights a hard truth: Cyber security is child protection.

Just as nurseries lock their doors and safeguard their classrooms, they must also protect their digital environments. The idea that photographs, addresses, or medical notes of children could be bartered on the dark web is not just a technical failure, it’s a moral one.

Organisations that work with children, healthcare or other vulnerable groups have an even higher duty of care. Strong cyber security is no longer optional. It’s a fundamental part of safeguarding.

What can individuals do?

While organisations must carry the main responsibility, parents and carers can also take steps if they fear their data, or their children’s, has been exposed:

• Stay alert for phishing attempts. Hackers may try to exploit stolen information to trick families into clicking malicious links 
• Report suspicious contact. Any direct approaches by criminals should be reported to the police and Action Fraud 
• Monitor accounts and credit. While children cannot open credit lines, parents may want to check for unusual financial activity 
• Ask questions of providers. Whether a nursery, school, or healthcare service, families are entitled to know how data is protected 

The Kido ransomware incident is a chilling reminder that no one is off limits for cyber criminals. When even nurseries are targeted, it underlines the urgent need for robust cyber security, ethical responsibility and regulatory enforcement.

The safety and privacy of children must never be negotiable. And the best way to protect them is by making cyber security as much a part of safeguarding as locked doors, background checks and trusted staff.

Your organisation needs to know how to protect itself from cyber threats and maintain a secure digital environment. Vinciworks’ cyber security courses prepare your team for all cyber risks with training and micro-learning modules on a range of topics from social media to IT security. Try it here.