Ransomware Breach at London’s Kido Nursery: Child Data Leaked by Radiant Group
Executive Summary
In September 2025, the Kido International nursery chain, operating in several countries and serving over 15,000 families, suffered a ransomware attack orchestrated by the Radiant Group. Attackers accessed sensitive data and photographs of more than 1,000 children, their families, and nursery employees. Some stolen data, including children's pictures and residential addresses, were leaked on a dark web site to pressure Kido into paying a ransom. When extortion attempts failed, the attackers removed the leaked files, but only after making threatening calls to parents, intensifying the distress of the incident.
This event underscores the alarming targeting of childcare and educational institutions by cybercriminals, reflecting a broader trend of ransomware attacks exploiting organizations that handle sensitive personal data. The swift arrests by London police of suspects involved demonstrate growing law enforcement action, yet also highlight increased risks for sectors entrusted with children's safety and privacy.
Why This Matters Now
This incident highlights the urgent need for educational and childcare organizations to enhance their cybersecurity posture as ransomware groups increasingly target institutions with sensitive personal data. With regulatory and parental scrutiny mounting, organizations must address gaps in data security, segmentation, and threat response to protect vulnerable populations.
Attack Path Analysis
Attackers initially compromised the nursery's cloud-based system, likely via exposed credentials or misconfiguration, enabling unauthorized access. They escalated privileges to gain broad access across internal resources and databases. From there, the attackers moved laterally within cloud or SaaS environments to collect sensitive child, parent, and staff data. A command and control channel was established, probably through covert outbound or encrypted traffic. The adversaries exfiltrated large volumes of sensitive data, including children's photos and addresses, out of the environment. Finally, they impacted operations and privacy by leveraging the stolen data for extortion, public leaks, and doxing attempts.
Kill Chain Progression
Initial Compromise
Description
Attackers gained unauthorized access to the nursery's SaaS/cloud account, likely via credential compromise or exploiting a misconfiguration.
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Valid Accounts
Phishing
Exfiltration Over C2 Channel
Data Encrypted for Impact
Inhibit System Recovery
Steal Web Session Cookie
Data Manipulation: Data Destruction
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
GDPR (General Data Protection Regulation) – Security of processing
Control ID: Art. 32
NIS2 Directive – Cybersecurity risk-management measures
Control ID: Article 21
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 9
CISA Zero Trust Maturity Model 2.0 – Strong Identity Verification and Privilege Controls
Control ID: Identity (Authenticating and Authorizing Users)
PCI DSS v4.0 – Identify Users and Authenticate Access to System Components
Control ID: Requirement 8.1
NYDFS Cybersecurity Regulation (23 NYCRR 500) – Encryption of Nonpublic Information
Control ID: 500.15
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Primary/Secondary Education
Ransomware targeting children's data exposes educational institutions to similar threats, requiring enhanced egress security and encrypted traffic protection for student information systems.
Individual/Family Services
Nursery breach demonstrates critical vulnerabilities in family service providers handling sensitive child data, necessitating zero trust segmentation and threat detection capabilities.
Computer Software/Engineering
Third-party software services like Famly face increased scrutiny after data hosting breaches, requiring multicloud visibility and anomaly detection for client data protection.
Health Care / Life Sciences
Healthcare providers managing pediatric records face similar ransomware risks, demanding HIPAA-compliant encrypted traffic and east-west security to prevent data exfiltration.
Sources
- London police arrests suspects linked to nursery breach, child doxinghttps://www.bleepingcomputer.com/news/security/london-police-arrests-suspects-linked-to-nursery-breach-child-doxing/Verified
- Kido nursery hackers say they have deleted stolen datahttps://www.theguardian.com/technology/2025/oct/02/kido-nursery-hackers-say-they-have-deleted-stolen-dataVerified
- Hackers reportedly steal pictures of 8,000 children from Kido nursery chainhttps://www.theguardian.com/technology/2025/sep/25/cybercriminals-steal-pictures-and-details-of-8000-children-from-nursery-chainVerified
- Hackers 'behind nursery cyber attack' tell Sky News they are releasing more data on dozens of childrenhttps://news.sky.com/story/hackers-behind-nursery-cyber-attack-tell-sky-news-they-are-releasing-more-data-on-dozens-of-children-13438696Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust network segmentation, east-west workload isolation, encrypted traffic controls, and egress policy enforcement would have limited adversary access, lateral movement, and blocked data exfiltration, minimizing incident impact. Continuous threat detection and anomaly response could have enabled rapid detection and containment during early and mid-stages of the attack.
Control: Cloud Firewall (ACF)
Mitigation: Reduced initial exposure surface by restricting unauthorized access.
Control: Zero Trust Segmentation
Mitigation: Prevented unauthorized privilege elevation between identities or workloads.
Control: East-West Traffic Security
Mitigation: Blocked or detected unauthorized lateral movement within cloud and SaaS infrastructure.
Control: Inline IPS (Suricata)
Mitigation: Detected and blocked command-and-control activity.
Control: Egress Security & Policy Enforcement
Mitigation: Prevented unauthorized exfiltration of sensitive data.
Enabled early detection to reduce incident scale and response time.
Impact at a Glance
Affected Business Functions
- Childcare Services
- Parent Communication
- Employee Management
Estimated downtime: 7 days
Estimated loss: $500,000
Personal information of approximately 8,000 children, including names, photographs, dates of birth, and addresses, as well as data on parents, carers, and employees, was compromised and leaked online.
Recommended Actions
Key Takeaways & Next Steps
- • Rapidly implement egress security and FQDN filtering to prevent unauthorized data exfiltration from cloud and SaaS environments.
- • Enforce Zero Trust segmentation and least-privilege access across all cloud workloads, databases, and user identities.
- • Deploy cloud-native inline IPS and traffic anomaly detection to identify and block attack communications and lateral movement.
- • Centralize multi-cloud visibility and audit logging to accelerate threat hunting and incident response.
- • Regularly validate account and workload access policies with microsegmentation and real-time policy enforcement.
