Hackers with pictures and the private information of thousands of nursery children have threatened to publish more information online unless they are paid.
Criminals calling themselves Radiant hacked the UK-based Kido nursery chain and posted profiles of 10 children online on Thursday. Their website on the dark web has posted a “data leakage roadmap” that sets out how the “next steps for us will be to release 30 more profiles of each child and 100 employees’ private data”.
According to a cybersecurity industry briefing seen by the Guardian, Radiant appears to be a new group within cybercrime circles that is “testing the boundaries of morality and depravation”.
The group’s online posts show a proficient command of English but there are indications that they may be non-western, such as a “slight awkwardness” in phrasing, the analysis notes.
It further states that the Radiant gang’s “leak site” – a common ransomware tactic in which a victim’s data is displayed on the dark web – contains 10 Kido customer profiles, which include the child’s name, date of birth, birthplace and details of parents, grandparents and guardians including addresses and phone numbers.
The site also claims to have sensitive data on more than 8,000 children and their families, including accident and safeguarding reports, as well as billing. It says all Kido nurseries in the UK were affected.
The leak site cites attempts to negotiate with Kido and carries a threat to “ruin their entire company as we slowly leak and we urge them to continue our dialog[ue]”.
Kido has not responded to the Guardian’s request for comment. The nursery chain is working with the authorities, including the Information Commissioner’s Office and Ofsted, and the Metropolitan police is investigating.
An email seen by the Guardian from Kido UK’s chief executive, Catherine Stoneman, said it was treating the incident “with the highest priority”, including engaging independent IT forensic experts in a “complex” and potentially time-consuming investigation. She attributed the breach to “two third-party systems used to process certain data”.
She wrote: “Where we have confirmed that a family’s information has been affected, the family will have already been contacted. If you have not received individual correspondence from us, that means we have no forensic evidence that your data has been impacted.”
Kido, which has 18 sites around London, with more in the US, India and China, told parents the breach happened when criminals accessed their data hosted by a software service called Famly, which is widely used by nurseries to share photos and information with parents.
Anders Laustsen, the chief executive of Famly, said: “We have conducted a thorough investigation of the incident and can confirm that there has been no breach of Famly’s security or infrastructure in any way and no other customers have been affected. We of course take data security and privacy extremely seriously at Famly.”
One woman told the BBC she had received a threatening phone call from the criminals, who said they would post her child’s information online unless she put pressure on Kido to pay a ransom.
Sean, whose child is at the Kido nursery in Tooting, told the Guardian that he and all the parents he knew had not heard directly from the nursery that their child’s data had been compromised, though they remained apprehensive. “How have they got details on just certain kids and not everyone – that’s the bit that’s not making loads of sense,” he added.
He viewed the cyber-attack as an inherent risk of using any app, and considered the opportunity to gain real-time information on his child, such as what they had eaten, worth it. Sean said he felt sorry for the nursery staff who were “getting the brunt of complaints”, when it was the app provider that needed to explain itself.
“One of the things that’s obviously horrifying is that whoever the people are, they are sinking to new depths trying to extort money out of a nursery and holding children to ransom.” he said.
The police advise companies against paying hacker ransoms as it fuels the criminal ecosystem as cyber-attacks become increasingly widespread.
Notable recent victims include the Co-op, Marks & Spencer and Jaguar Land Rover, with many hacks attributed to an English-speaking cybercriminal community known as Scattered Spider.
The M&S hack deployed ransomware, a tactic popular with Russian speaking cyber gangs involving software that locks up a target’s IT systems.
The BBC has held conversations through the messaging app Signal, and learned that although they spoke fluent English, the criminals said it was not their first language and claimed they hired people to make the calls.
The criminals said: “We do it for money, not for anything other than money. I’m aware we are criminals. This isn’t my first time and will not be my last time.”
They added that they would not be targeting preschools again as the attention had been too great.
