Kido Nursery Rant: When We Lost Whatever Was Left of Our Souls
Right. Deep breath. Actually, no. No deep breaths. I'm not going to be calm about this one.
EIGHT THOUSAND CHILDREN.
Let me say that again for the people in the back who still think cybersecurity is "just an IT problem" or that "we're too small to be targeted" or whatever other bollocks excuse you've been using to avoid taking this seriously.
Eight. Thousand. Children.
Their faces. Their names. Their home addresses. Their medical records. Their safeguarding notes. The kind of information that documents whether a child has a vulnerable family situation, protective arrangements, or special needs. All of it stolen. All of it was posted online like some sick trophy collection. And then, because apparently we're living in some dystopian nightmare, the hackers started RINGING THE PARENTS AT HOME.
Can you imagine? You're having your morning coffee, your kid is eating breakfast, and your phone rings. It's a stranger who knows your child's name. Knows what they look like. Knows where you live. They know their medical information. And they're telling you to pressure the nursery to pay up or else.
The Hackers Can Get Absolutely Stuffed
The Radiant ransomware gang, which, of course, gave themselves an edgy name like characters in a bad action film, dared to call this a "penetration test."
A PENTEST.
Like they're cybersecurity consultants doing Kido a favour by stealing thousands of children's personal information.
When the BBC contacted them (which, credit to the BBC for actually tracking these scumbags down), you know what they said? "We do it for money, not for anything other than money. I'm aware we are criminals."
Oh, well, thank you for that stunning moment of self-awareness, mate. Really appreciate the honesty. Now, how about you take that honesty and shove it directly into the sun?
These people spent WEEKS inside Kido's network. Weeks. They weren't rushed. They weren't sloppy. They carefully mapped everything out, found the children's data, found the employee data, and methodically stole it all. Then they hired people to make threatening phone calls to parents. This wasn't some opportunistic attack. This was planned, organised, and deliberately targeted at the most vulnerable data imaginable.
But Let's Talk About Kido for a Minute
Because while I have precisely zero sympathy for the hackers, I've got some pretty strong words for Kido International as well.
You run 18 locations. You serve 15,000 families globally. You're listed as one of Britain's top-rated nursery chains. Parents are paying you good money, trusting you with their children. And somewhere along the line, someone at your organisation made a decision that adequate cybersecurity wasn't worth the investment.
How do I know this? Because hackers don't spend weeks inside your network if you have proper monitoring in place. They don't exfiltrate 8,000 records if you have data loss prevention. They don't access everything from child records to employee National Insurance numbers if you have network segmentation.
Your security was so inadequate that criminals had free run of your systems for weeks, and nobody noticed. Nobody. Not one alert. Not one flag. Not one "hey, that's odd."
What does that tell me? It tells me you treated cybersecurity as a checkbox exercise. Something you did to tick a box for compliance, rather than actually to protect the children in your care.
And Now Let's Talk About YOU
Yes, you. Reading this. Thinking "well, I don't run a nursery, so this doesn't apply to me."
WRONG.
Every single security failure that enabled this attack is present in small businesses across the UK right now. Right this second.
Probably including yours.
Let me guess:
Your passwords are weak, reused, or written on a sticky note
You clicked "remind me later" on that security update six months ago
Your backup is just files copied to another folder on the same network
You have no idea who's accessing what data in your systems
You think "we're too small to be targeted"
You've got one person who "handles the IT stuff" when they have time
Am I close? Because I've been doing this for 40 years, and I see the same patterns everywhere.
What is the most common entry point for ransomware? Phishing emails. Someone clicks a link they shouldn't. That's it. That's the big, scary hacker technique. They sent an email that looked legitimate, and someone clicked it.
The second most common? Unpatched vulnerabilities. Software updates you couldn't be bothered to install because
"it'll only take five minutes and we're too busy."The third? Weak passwords. Password123. Welcome1. CompanyName2024.
These aren't sophisticated nation-state attacks. These are criminals exploiting the same basic security failures that have existed for decades. And you're making it easy for them.
The Bit That Really Gets Me
What really gets me upset about this whole situation? It's the complete lack of boundaries that's a problem now.
There used to be some limits. Not many, but some. Most ransomware gangs avoided children's hospitals. Some claimed to have ethics policies. Some lines were generally not crossed.
Those lines are gone. Completely obliterated. Because the Radiant group just proved that targeting children, posting their photos online, and harassing their parents directly WORKS. It creates pressure. It gets attention. It might lead to payment.
Now, every other criminal group out there is taking note. "Oh, they went after a nursery and people freaked out? Interesting. What about schools? Pediatric clinics? Youth sports organizations? Foster care agencies? Ferility Clinics?"
This attack just opened Pandora's box, and we're all going to pay the price.
What Happens Now?
The Met Police are investigating. Good luck with that. The hackers claim they're in Russia, which means the chances of arrest are somewhere between "slim" and "absolutely none." Russia doesn't extradite cybercriminals who target Western organisations. In fact, they probably get a lovely apartment and a medal.
The ICO is "assessing the information provided." They could fine Kido up to £17.5 million or 4% of annual turnover. But you know what? Money doesn't unbreak this situation. Those 8,000 children's data is still out there. Those families are still at risk. That information doesn't expire. It doesn't get less dangerous. It's permanent.
A child's name, photo, and home address can't be replaced like a credit card. Medical information about a five-year-old could be used for social engineering attacks when they're 15, 25, 35. Safeguarding notes about vulnerable family situations don't stop being exploitable just because time passes.
These families will spend years, possibly decades, looking over their shoulders and wondering if that stranger at the park knows their child's name for innocent reasons or darker ones. Questioning whether to post photos online. Worrying about identity theft and living with the knowledge that their most private information is in criminal hands forever.
So What Do We Do?
First, we stop pretending this is someone else's problem. Every business handles sensitive data. Client information. Employee records. Financial details. Health information. Personal details. All of it has value to criminals.
Second, we implement basic security controls. And I do mean BASIC:
Multi-factor authentication on everything
Regular software updates
Strong, unique passwords (use a password manager)
Offline backups that ransomware can't reach
Network segmentation so one breach doesn't compromise everything
Monitoring and alerting for unusual activity
Staff training on phishing and social engineering
None of this requires an enterprise budget. Small businesses can implement these controls. They actually need to prioritise it.
Third, we demand accountability. From vendors who store our data. From partners who connect to our networks. From ourselves, when we take shortcuts because "it'll be fine."
And fourth, we get angry. Really, properly angry. Because if we don't treat this attack as the absolute moral outrage it represents, if we just shake our heads and move on to the next news story, we're telling criminals that this is acceptable. That targeting children is just another Tuesday. That there are no consequences and no lines they can't cross.
Final Thoughts
I've been in the information technology space for 40 years. I've seen many horrible things. Hospital ransomware attacks that delayed surgeries and were even the direct cause of at least one death. Care home breaches that exposed elderly residents. Local councils’ attacks that cost millions in taxpayer money.
But this? Eight thousand children's personal information stolen and weaponised? Hackers calling parents at home to terrorise them into compliance? This is the lowest point I've witnessed in four decades.
And unless we collectively get our act together, unless businesses stop treating security as optional, unless we demand better from organisations we trust with our data and our children, it will only get worse.
So no, I'm not going to calm down about this. I'm going to stay angry. Anger is the appropriate response when criminals target children and organisations fail to protect them.
Now, put down whatever device you're reading this on and go check your own security, because the next headline could be about your business, your data, or your customers.
And you won't be able to say nobody warned you.
| Source Publication | Article |
|---|---|
| BBC News | Kido Nursery Ransomware Attack: 8,000 Children's Data Stolen |
| BBC Radio 4 Today Programme | Parent Interview: Stephen Gilbert on Kido Data Breach |
| Metropolitan Police | Official Statement: Cyber Crime Investigation Ongoing |
| Information Commissioner's Office | ICO Assessing Kido International Data Breach Report |
| National Cyber Security Centre | NCSC Statement on Kido Nursery Cyber Attack |
| Comparitech | Expert Analysis: Kido Breach Raises Alarm Bells |
| Keeper Security | Children's Data Cannot Be Replaced: Kido Breach Impact |
| Cybernews | Kido Hack Could Enable Stalking and Harassment of Families |
| Kido International | Official Company Website |
| Gov.uk | UK Cyber Security Breaches Survey 2025 |
