When Criminals Target Children: The Kido Nursery Attack and What It Means for UK Small Businesses

Pull up a chair. After yesterday's Kido International ransomware attack, I've spent the night reading through the technical details and regulatory implications. What I'm seeing isn't just disturbing. It's a fundamental shift in how we need to think about protecting sensitive data in British small businesses.

Let me start with what happened.

The Attack: A New Low

Yesterday morning, 18 UK nursery locations woke up to a ransomware attack. Seventeen in London, one in Windsor. All operated by Kido International, a premium childcare chain.

The attackers, calling themselves Radiant Group, didn't just encrypt systems. They stole the entire database. Names of 8,000 children. Home addresses. Photos. Parents' contact details. Safeguarding notes that document which children might be vulnerable.

Then they did something I've never seen in four decades of IT: They published profiles and photographs of ten children on their darknet leak site. As "proof of compromise."

And they started ringing parents. Directly. By phone. As part of their extortion tactics.

My Reaction? Fury.

I've worked in IT since the 1980s. Watched security become critical at Intel. Seen the stakes rise at Disney. Managed technology risks at the BBC. Witnessed the evolution from cassette tape backups to cloud-first strategies. I've seen criminals hit hospitals, councils, charities. I thought I'd seen the worst of human behaviour in this industry.

I was wrong.

The Radiant Group's justification makes it worse. They claimed they "weren't asking for an enormous amount" and deserved "compensation for our pentest."

Pentest. They called this criminal behaviour a penetration test.

Let me be absolutely clear: This was not a penetration test. This was not ethical hacking. This was criminal extortion that weaponised children's personal data. And the fact they're trying to dress it up as legitimate security testing tells you everything you need to know about their boundaries.

They don't have any.

The Technical Reality (What Actually Failed)

Here's what should have prevented this attack:

Data encryption at rest. If the database containing children's photos and personal details was properly encrypted, stealing it would have been useless. The attackers would have encrypted files without being able to read them first. No double-extortion leverage.

Network segmentation. The database shouldn't have been accessible from the same systems that employees use for daily operations. Separate networks for sensitive data. Basic practice.

Access controls. Who needed to see all 8,000 children's records? Who needed the photos? Who needed the safeguarding notes? Role-based access limits damage when (not if) you're breached.

Multi-factor authentication. One compromised password shouldn't give access to everything. MFA stops most initial access attempts cold.

Offline backups. If you can restore from backups the attackers can't reach, you don't pay ransoms. Simple as that.

None of these are expensive. None require Fortune 500 budgets. I've implemented all of them at organisations with 20 employees.

Someone at Kido made cost decisions. They prioritised short-term savings over children's safety. Now they're facing ICO fines up to £17.5 million or 4% of worldwide turnover. Plus legal costs. Compensation claims. Regulatory proceedings. Reputational damage.

Good security doesn't have to be expensive, but stupidity always is.

The Regulatory Hammer Is Coming

The Information Commissioner's Office has confirmed they've received Kido's breach notification. Their statement says they're "assessing the information provided."

Translation: They're preparing enforcement action.

Under UK GDPR, children's data gets special protection. Article 8 requires stronger safeguards. The ICO has explicitly stated they'll take "more severe action" when children are harmed.

This case ticks every box for maximum penalties:

• Special category data (children's information)

• Particularly sensitive content (photos, safeguarding notes)

• Large scale (8,000 victims)

• Vulnerable subjects (young children)

• Published data (harm has occurred)

• Apparent security failures (preventable breach)

I'd expect the ICO to make an example of this case. They should. Because right now, every nursery, school, after-school club, and childcare provider in Britain is checking their own security. And most will be horrified by what they find.

What This Means for Small Businesses

If you're thinking "I don't run a nursery, this doesn't affect me," you're missing the point.

The Radiant Group crossed a line yesterday. They showed that criminals will now target and publish the most sensitive data they can find, with no ethical boundaries whatsoever.

What data do you hold that criminals could weaponise?

• Medical practices: Patient records, diagnoses, mental health notes

• Legal firms: Confidential case files, divorce proceedings, criminal defence documentation

• Financial advisors: Personal wealth information, investment details, tax records

• HR consultancies: Salary data, disciplinary records, redundancy plans

• Local councils: Children's social services files, vulnerable adults records

Any business holding sensitive personal data is now at risk of the same tactics. Steal it. Threaten to publish it. Contact the victims directly. Apply maximum pressure.

The criminals just showed us they'll go after the most vulnerable people in our society. Your clients' data is fair game.

The Broader Threat Picture

This attack fits a disturbing pattern. Education is now the third most targeted sector globally, according to Microsoft Threat Intelligence. In the UK:

• 71% of secondary schools experienced serious breaches last year

• 97% of universities had security incidents

• Vice Society ransomware group has hit multiple academy trusts

• Harris Federation breach affected 37,000 pupils

But yesterday was different. This was the first major ransomware attack specifically targeting nursery-age children's data. The youngest victims yet.

And the attackers appear to be a new group. Radiant Group hasn't been on security researchers' radar before. Which means they're making their debut by targeting children.

That tells you where the ransomware industry is heading. Downward.

What You Must Do (Practical Steps, Not Vendor Nonsense)

If you're holding any kind of sensitive personal data, here's what needs to happen:

1. Audit what you actually hold. Not what you think you hold. What's actually in your systems. Where are the photos? The documents? The databases? Map it all out.

2. Classify by sensitivity. What would hurt people if published? Children's data? Medical information? Financial records? Confidential legal matters? Mark it clearly.

3. Encrypt everything sensitive. At rest and in transit. If someone steals your backup drives, they should see garbage. Use BitLocker (built into Windows Pro). Use FileVault (built into Macs). Both free.

4. Segment your network. The most sensitive data should be on a separate network that requires separate authentication. Even a basic VLAN configuration helps.

5. Implement proper access controls. Use the principle of least privilege. People only access what they need for their job. Nothing more.

6. Enable MFA everywhere. Microsoft accounts. Google accounts. Your line-of-business systems. Everything. No exceptions.

7. Create offline backups. Air-gapped. Disconnected. Somewhere ransomware can't reach. Test restoring from them quarterly.

8. Train your staff. Phishing emails remain the most common initial access method. People need to recognise them. Run realistic tests monthly.

9. Create an incident response plan. Who calls who? What gets shut down? Where are the backups? Who talks to the ICO? Write it down before you need it.

10. Test everything. Your backups. Your incident response plan. Your ability to operate if systems are down. Test it properly.

None of this requires six-figure budgets. I've implemented all of it for businesses with 15 employees. The most expensive part is usually the time to do it properly.

Compare that cost to what Kido International now faces. ICO fines in the millions. Legal fees. Compensation claims. Lost business. Criminal investigation.

Which would you rather pay for?

The Uncomfortable Truth

Here's what keeps me awake at night: This attack was completely preventable with basic security measures.

Kido International isn't some tiny startup. They operate internationally. They charge premium prices. They have corporate structure and presumably professional IT support.

And they still left children's data vulnerable to basic ransomware tactics.

If a well-resourced childcare chain can get this wrong, what's happening at smaller organisations? The independent nurseries with 30 children? The after-school clubs run by volunteers? The small charities working with vulnerable kids?

I'll tell you what's happening: They're storing sensitive data on systems with no encryption, no backups, no access controls, and no incident response plans. Because nobody told them they needed to. Because they thought security was expensive. Because they assumed criminals wouldn't target small organisations.

All of those assumptions died yesterday.

What I'm Telling My Clients

Every client I work with is getting the same message today:

Assume you're a target. Assume criminals have no boundaries. Assume the most sensitive data you hold will be stolen and published unless you prevent it.

Then work backwards from that assumption.

What would hurt your clients most if published? Protect that first. What would destroy your business if encrypted? Back that up offline. What access do staff really need? Limit it now.

This isn't about achieving perfect security. Perfect doesn't exist. This is about making yourself expensive enough to attack that criminals move to easier targets.

Because they will move on. Ransomware operators are businesses. They calculate return on investment. If your security means they'll spend days trying to break in, they'll find someone with weaker defences.

Make yourself the expensive option.

For Nurseries and Childcare Providers Specifically

If you're reading this and thinking "Christ, that could have been us," here's what you do TODAY:

1. Check your data protection measures immediately. What safeguards do you have for children's photos and personal information?

2. Review your supplier security. If you use nursery management software like Famly, HeyKiddo, or Tapestry, what security do they provide? Where is data stored? Who can access it?

3. Conduct a Data Protection Impact Assessment. It's required under GDPR for processing children's data anyway. If you haven't done one, start now.

4. Review your cyber insurance. Does it cover ransomware? Data publication? Regulatory fines? ICO enforcement? Read the actual policy.

5. Contact the NCSC. They've issued specific guidance for early years settings. Follow it. All of it.

6. Think about Cyber Essentials certification. It's the baseline. If you can't meet Cyber Essentials, you're not ready to hold children's data.

And if you're thinking "we can't afford proper security," let me be brutally clear: You can't afford to operate without it.

The ICO will fine you. Parents will sue you. Your insurance may not pay out if you were negligent. You could face criminal prosecution under the Computer Misuse Act for failing to secure systems properly.

The cost of prevention is always less than the cost of recovery.

The Industry Response

The cybersecurity community's reaction has been unanimous condemnation. Dray Agha from Huntress Security called it "reprehensible erosion of boundaries in the cybercriminal network." Alan Woodward from the University of Surrey said criminals "have no limits." Graeme Stewart from Check Point called it "an absolute new low."

They're right. But condemnation doesn't help the 8,000 families affected. Outrage doesn't secure vulnerable systems.

What helps is practical action. Proper security measures. Professional implementation. Budget allocated to protection instead of remediation.

The National Cyber Security Centre called this attack "particularly egregious." Director Jonathon Ellison noted that targeting those who care for children is especially harmful behaviour.

I'd go further: This attack represents a fundamental break in the unwritten rules of cybercrime. There used to be limits. Hospitals were usually off-limits. Critical infrastructure was avoided. Children were protected.

Not anymore.

The criminals just showed us they'll exploit any vulnerability, target any victim, publish any data. No boundaries. No ethics. No limits.

Our defences need to match that reality.

Where This Goes Next

The Kido attack will have consequences beyond this specific case:

Regulatory: The ICO will likely use this for maximum enforcement. Expect guidance updates for organisations processing children's data. Possibly new requirements.

Insurance: Cyber insurance premiums for childcare providers will increase. Some insurers may exclude coverage for organisations without Cyber Essentials.

Legal: Parents will sue. Class action lawsuits are coming. Legal precedent will be set about duty of care for children's data.

Legislative: Parliament may respond with stricter requirements for organisations serving children. Mandatory reporting. Stronger penalties. Criminal liability for executives.

Industry: The childcare sector will be forced to professionalise its approach to cybersecurity. Good. It should have been professional already.

This attack changes the playing field. Every organisation processing children's data is now under scrutiny. The ones without proper security are gambling with other people's children.

That gamble just got a lot more expensive.

My Offer to Small Businesses

If you're reading this and recognising your own security gaps, let's talk. I'm not here to sell you expensive solutions. I'm here because 96% of cyberattacks target small businesses, but 90% of security expertise focuses on large corporations.

Someone needs to bridge that gap.

I've spent 40 years in IT at places like Intel, Disney, and the BBC, watching security evolve from an afterthought to a business-critical function. Now I help UK small businesses get practical protection that actually fits their budgets and constraints. Because you face the same threats as Fortune 500 companies, but you don't need Fortune 500 budgets.

You just need someone who knows how to build security that works in the real world.

If you're holding sensitive data and you're not confident in your security, that's a fixable problem. If you're not sure what security you should have, that's answerable. If you're worried about costs, there are practical solutions that won't bankrupt you.

What's not fixable is waiting until after you're breached. Ask Kido International about the cost of that approach.

Finally

After four decades in IT, I've learned one truth: Breaches are inevitable. Damage is optional.

You will be targeted. The criminals will try. But whether they succeed depends entirely on the decisions you make before they arrive.

Kido International made the wrong decisions. They prioritised cost over protection. They assumed criminals wouldn't target children. They thought basic security was optional.

Yesterday, they discovered the cost of those assumptions.

Don't make the same mistakes.

The criminals just showed us they have no limits. Make sure your defences match that reality.

Right. That's enough from me. If you need help securing sensitive data, you know where to find me.