London Metropolitan Police
Image: Bob Jenkin via Pexels

Teenagers arrested in England over cyberattack on nursery chain Kido

Two boys, both aged 17, were arrested on Tuesday by police investigating the cyberattack and attempted extortion of the British nursery school chain Kido.

The boys were arrested at the scene of a search of a number of residential addresses in the town of Bishop’s Stortford in Hertfordshire, about 40 miles north of London. They remain in custody for questioning on suspicion of computer misuse and blackmail, according to London’s Metropolitan Police Service.

The attempted extortion, which involved the perpetrators publishing pictures of named infants enrolled at Kido’s nursery schools, provoked revulsion among the cybersecurity community across both the private sector and law enforcement.

The children’s pictures and names appeared alongside the addresses and contact details for their parents and carers, increasing the risk posed to the children’s wellbeing. Matt Hull, a former child protection detective who now heads threat intelligence for cybersecurity company NCC Group, described the attack as “a deeply disturbing shift in criminal tactics.”

Around 8,000 children are believed to have been impacted by the data breach, although only 20 children had their pictures and names published online. The hackers used the contact details listed for parents and carers to make phone calls to increase the pressure on Kido to make an extortion payment in bitcoin.

After receiving a referral about a ransomware attack on September 25, the investigation was led by the Met’s cybercrime unit. Will Lyne, the Met’s head of economic and cybercrime, said: “Since these attacks took place, specialist Met investigators have been working at pace to identify those responsible.

“We understand reports of this nature can cause considerable concern, especially to those parents and carers who may be worried about the impact of such an incident on them and their families. These arrests are a significant step forward in our investigation, but our work continues, alongside our partners, to ensure those responsible are brought to justice,” added Lyne.

Several private sector organizations and individuals were so troubled by the publication of the pictures they offered police assistance with the investigation. Recorded Future News understands at least one cybersecurity company held meetings to rework its pro bono initiatives in response.

The darknet website for the group, which called itself Radiant, did not appear as professionally made as those of other established ransomware groups. It used a basic template, featured no recognizable string at the beginning of its .onion URL, and listed no other victims.

Pressure from all sides

Following an extremely critical response to their extortion attempt from both the public and even among the cybercrime community, the hackers eventually blurred the uploaded children’s images before eventually claiming to have withdrawn their extortion attempt entirely and to have deleted the stolen material.

NCC Group’s Hull said the attack was “a chilling reminder that everyone, even children, can be the target of cyber crime.”

“Posting profiles of children and their families as proof of the hack marks a deeply disturbing shift in criminal tactics, which goes beyond financial and operational disruption. If information such as safeguarding records and home addresses of vulnerable children are leaked it can put them and their families at serious and immediate risk.”

“By threatening to release even more profiles, family details, and employee data, the criminals are putting a spotlight on the deeply disturbing nature of ransomware tactics. But this is not the first time we’ve seen cyber attacks stoop so low, and it will be far from the last,” said Hull.

Back in March 2023, the AlphV ransomware group provoked disgust by attempting to extort a healthcare network in Pennsylvania by publishing clinical photographs of breast cancer patients. While several criminal collectives have claimed not to target hospitals, schools or critical infrastructure, attacks on these entities remain relatively commonplace.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
Recorded Future
No previous article
No new articles
Alexander Martin

Alexander Martin

is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.