Hackers have stolen sensitive personal data—including photos, names, and addresses—of around 8,000 children from Kido, a nursery chain operating 18 sites in and around London.
According to reports, a cybercriminal gang is now using the stolen information to extort the company, going so far as to contact parents directly by phone as part of their ransom demands.
While Kido has not yet released a public statement, the BBC reports that affected nurseries and parents have been notified.
The stolen data also includes information about parents, carers, and safeguarding details.
A Metropolitan Police spokesman said: "Met Police received a referral on Thursday following reports of a ransomware attack on a London-based organisation.
"Enquiries are ongoing and remain in the early stages within the Met's Cyber Crime Unit. No arrests have been made."
Bryony Wilde, whose child attends a Kido nursery in London, told the BBC: "They are kids - their personal details shouldn't be worth anything.
"You are probably prepared to go a little bit further to protect children's privacy and personal details."
She described the children as "completely innocent victims".
Cybersecurity firm Check Point described the breach as “an absolute new low,” stating that targeting children and schools is “indefensible” and “appalling.”
The hacking group responsible is allegedly called Radiant and is relatively new.
Jonathon Ellison, from the National Cyber Security Centre described the hack as "deeply distressing".
He told the BBC: "Cyber criminals will target anyone if they think there is money to be made, and going after those who look after children is a particularly egregious act.”
One parent who spoke to the BBC said she received an email from the hackers informing her of the information that had been stolen.
Despite the alarming nature of the email, she said she felt the nursery had handled the situation well.
The cybercriminals behind the attack contacted the BBC directly and have since shared details of the breach on their darknet website.
As part of their extortion efforts, they published a sample of the stolen data, including photos and profiles of 10 children.
The hackers are using the release to pressure the Kido nursery chain into paying a ransom.
Police have strongly advised against paying ransoms, warning that doing so only fuels the wider cybercrime ecosystem.
When contacted by the BBC the cyber criminals said they "weren't asking for an enormous amount" and they "deserve some compensation for our pentest."
A pentest refers to a simulated cyber attack against an organisation’s computer systems to find and exploit vulnerabilities before hackers do.
These hackers, however, attacked the nursery chain without their permission.
On its website, Kido, which has locations in London, says: "Our international network of schools in the USA, UK, India and China ensures that we bring best practices in operations, training, curriculum and care to each school."
Kido has been contacted by The Standard for comment.
