On September 25, 2025, parents across London and beyond awoke to a nightmare scenario: hackers had claimed to steal the names, addresses, and photos of around 8,000 children from the Kido nursery chain, a company operating 18 sites in and around London, as well as locations in the US, India, and China. The criminals, who call themselves Radiant, posted samples of the stolen data—including pictures and profiles of ten children—on their darknet website, demanding a ransom from the company and, in some cases, allegedly contacting parents directly to extort them.
According to BBC News, the hackers’ trove included not only children’s personal information but also details about their parents and carers, and even safeguarding notes. The group appears to have used this highly sensitive data as leverage, threatening to release further information unless their demands are met. The hackers, when challenged about the morality of targeting nurseries, told BBC News they “weren’t asking for an enormous amount” and claimed, “we deserve some compensation for our pentest.” In cybersecurity lingo, a pentest—short for penetration test—typically refers to a sanctioned attempt to probe a company’s defenses. Here, however, Radiant’s actions were anything but authorized or ethical.
As news of the breach spread, parents received emails from Kido confirming the incident and offering reassurance. One parent, who asked to be referred to as Mary, told BBC News that the nursery had informed families “very quickly.” She described the hackers’ email as “all very professional and well-written, no spelling mistakes or anything like that.” While her partner works in cybersecurity and the family understands such things can happen, she added, “we do feel the nursery has handled it well.”
The emotional toll on families, however, was palpable. Bryony Wilde, whose child attends a Kido nursery in London, told BBC News, “They are kids—their personal details shouldn’t be worth anything. You are probably prepared to go a little bit further to protect children’s privacy and personal details.” She described the children as “completely innocent victims.”
For many cybersecurity experts, this attack crossed a line. Graeme Stewart, from Check Point Software, described the incident to Sky News as “the most depressing day, I think, since I’ve been doing this.” He continued, “To deliberately put children and schools in the firing line, is indefensible. Frankly, it is appalling.” Toby Lewis, head of threat analysis at Darktrace, echoed this sentiment, telling Sky News that while the style of attack was not new, “what is different is the brazenness and willingness to target children or children settings.” He added, “It definitely seems we are seeing a different style of group, maybe, certainly one that is less concerned about the ethics of what they’re doing.”
Jonathon Ellison, director of national resilience at the National Cyber Security Centre, described the hack as “deeply distressing.” He told BBC News, “Cyber criminals will target anyone if they think there is money to be made, and going after those who look after children is a particularly egregious act.” The NCSC has since highlighted its bespoke guidance to help nurseries and early years settings protect themselves from such attacks, as well as advice for individuals concerned about their data.
Law enforcement agencies have moved quickly to respond, though progress remains at an early stage. The Metropolitan Police confirmed they received a referral on September 25 “following reports of a ransomware attack on a London-based organisation.” In a statement cited by Sky News and the BBC, the Met said, “Enquiries are ongoing and remain in the early stages within the Met’s Cyber Crime Unit. No arrests have been made.”
The Information Commissioner’s Office (ICO), the UK’s data watchdog, is also involved. An ICO spokesperson told Sky News, “Kido International has reported an incident to us and we are assessing the information provided.” The ICO’s assessment will determine whether Kido fulfilled its legal obligations regarding the protection of sensitive personal data and the notification of affected parties.
Despite the severity of the incident, Kido has yet to issue a public statement or confirm all the hackers’ claims, though parents and employees have reportedly been notified. The company’s website highlights its international network of schools in the USA, UK, India, and China, emphasizing best practices in operations, training, curriculum, and care—making the breach all the more jarring for families who trusted Kido with their most precious assets.
Police and cybersecurity experts have strongly advised against paying ransoms, warning that doing so only encourages further attacks and perpetuates the cycle of cybercrime. Rebecca Moody, head of data research at Comparitech, told the BBC that the nature of the data posted online “raises alarm bells,” adding, “We’ve seen some low claims from ransomware gangs before, but this feels like an entirely different level.” She urged the nursery chain to contact anyone affected by the data breach “as a matter of urgency.”
The Kido hack is the latest in a string of high-profile ransomware attacks targeting UK organizations. Earlier this year, retail giant Marks & Spencer suffered an attack that cost an estimated £300 million. Jaguar Land Rover was forced to halt production after its systems were compromised, while other household names like Co-op, Harrods, Aldi, Tesco, and Sainsbury’s have all faced disruptions linked to cybercrime in recent months. The Co-op, for instance, reported an £80 million hit to profits following an attempted hack in April.
What makes the Kido breach especially egregious, however, is the targeting of children—individuals who have no say in the security of their data and whose privacy is paramount. The hackers’ willingness to publish images and profiles of children, and to contact parents directly, has shocked even seasoned professionals in the field. As Check Point’s Graeme Stewart put it, “It just shows frankly a lack of ethics and morals, to go after children’s data.”
For now, the Metropolitan Police’s Cyber Crime Unit continues its investigation, and the ICO’s assessment is underway. The incident has reignited debate over the adequacy of cybersecurity measures in schools and nurseries, and the responsibilities organizations have when entrusted with sensitive personal data—especially that of society’s youngest members.
As the fallout continues, one thing is clear: the Kido hack has set a chilling precedent, underscoring the urgent need for robust digital defenses and a renewed commitment to protecting children’s privacy in an increasingly connected world.
