Ransomware Strikes London Nurseries – A Wake-Up Call for Child Data Security

What Happened?

In early October 2025, the Met Police announced the arrest of two 17-year-olds in Bishop’s Stortford on suspicion of computer misuse and blackmail, after a ransomware attack on Kido International, a London nursery group. The attackers, calling themselves “Radiant”,  stole personal data on roughly 8,000 children (names, photographs, addresses and parent contacts) from the nurseries’ cloud system.

They then threatened to publish more records unless Kido paid about £600,000 in Bitcoin. A small sample of 10 children’s profiles was posted on a dark-web site to pressure the company, and the group even began phoning parents directly. (After public outcry the hackers later blurred and claimed to delete the images.) Kido says the breach came via its nursery software provider Famly, although Famly insists its own infrastructure was not compromised. Regardless, the data loss forced Kido to notify authorities (via Action Fraud) and affected families.

Metropolitan Police Head of Economic and Cybercrime Will Lyne urged calm but vigilance, noting that specialist investigators have been working “at pace” on the case. He acknowledged that such reports “can cause considerable concern” for families, but reassured the public that the matter is being “taken extremely seriously”. These arrests, though welcome, are only a “significant step” in the ongoing investigation to bring the perpetrators to justice. The police continue to gather intelligence and warn that the inquiry is far from over.

Why Children’s Data Is So Valuable

Children’s personal data is a prised commodity for fraudsters. In the U.S., for example, child identity fraud has long been a hidden epidemic, costing victims nearly $1 billion per year. Because children have clean credit histories (and typically don’t monitor their credit until adulthood), their stolen data can be used to open accounts or commit financial fraud undetected. As one report notes, an infant’s information essentially provides a “clean credit history” for criminals, since child identity theft often goes unnoticed for years. Criminals prise children’s records for the same reason: they are fresh, untarnished by previous misuse, and can fuel years of fraudulent activity. In short, any breach of nursery or school data exposes families to the risk of long-term identity theft and financial loss.

Education and childcare organisations have become major ransomware targets. Early years settings handle highly sensitive personal information and even payments, making them “appealing target[s] for cybercriminals due to the sensitive information they hold,” according to the UK’s National Cyber Security Centre (NCSC). The risk is acute: schools and nurseries often hold medical records, safeguarding notes, and other sensitive data on each child, plus contact details for parents. Like healthcare, the education sector has very low tolerance for downtime; attackers know institutions may pay to restore operations quickly. Indeed, the ICO has reported that student attackers themselves are behind many school data breaches. 57% of insider breaches in UK schools (2022–24) were caused by pupils exploiting weak passwords or misconfigured systems. Whether the threat comes from external gangs or curious teens, regulators say the findings are “worrying” and urge education settings to step up cybersecurity immediately.

Recommendations for Nurseries and Education Providers

To protect children’s data and comply with UK GDPR and the Data Protection Act, nurseries should implement strong security and incident-preparation measures. Key steps include:

Risk Assessment and DPIAs

Treat any system holding children’s records as high risk. Conduct a Data Protection Impact Assessment that explicitly considers children’s rights, as required under the ICO’s Age-Appropriate Design Code. Classify large databases and any children’s personal data as requiring enhanced security.

Technical Controls

Follow NCSC ransomware mitigations and the ICO’s guidance on data security. This means patching devices promptly, using firewalls and anti-malware tools, and enforcing strong access controls (unique accounts, least privilege, multi-factor authentication) on all systems containing pupil or staff data. Where possible, encrypt sensitive files and emails, so that stolen data remains unreadable.

Backup and Recovery

Maintain up-to-date, offline or air-gapped backups of all critical systems and data. Test your disaster recovery plan regularly. If systems are encrypted by ransomware, you must have a way to restore operations from backups without paying the ransom.

Staff Training and Policies

Provide staff with regular cybersecurity awareness training (phishing simulations, password hygiene, device security). Train reception and finance teams especially, since attackers often use phone calls or fake invoices to breach schools. Remind all employees that data protection is not “just an IT problem”,  even leaving a tablet unlocked or sending information to personal email can cause reportable breaches. Refresh UK GDPR and security training at least annually, as recommended by the ICO. You can learn more about our Data Protection Training programmes here.

Third-Party Oversight

Vet any outsourced providers (like cloud software or payroll firms). For example, Kido’s incident involved a nursery-management app. Make sure contracts require prompt breach notification by vendors, and verify their compliance with GDPR. If a supplier reports a security issue, treat it as a potential breach of your own data.

Incident Response Plan

Prepare and practice an incident response plan (use the NCSC’s “Exercise in a Box” tool). Define roles and notification procedures in advance. Know the legal requirements: under UK GDPR, report any personal data breach that poses a risk to individuals to the ICO within 72 hours, and inform affected families without undue delay. The ICO’s ransomware guidance emphasises having an IR plan with clear thresholds for ICO and data-subject notification. Remember that loss of availability (ransomware lockout) is itself a notifiable personal data breach.

Cyber Essentials and Audits

Consider certification under Cyber Essentials (basic cybersecurity standard for UK organisations) and perform regular security audits or penetration tests. Keep logs of access and reviews of user accounts, and rectify any dormant or excessive privileges. Learn more about our Data Protection Support services to help with audit readiness.

Guidance for Parents

Parents and carers play a key role in mitigating risk. The Kido attack shows that no data is 100% safe once breached, but families can take precautions:

Verify Communications

Ignore unsolicited calls, texts or emails demanding payment or personal information. In this case, parents were directly threatened by the attackers, if your child’s nursery contacts you, expect it to be through official channels (direct lines or named staff). If in doubt, hang up and call the nursery’s main office or law enforcement.

Protect Personal Data

Limit how much your child’s identifying information you share online. Avoid posting school ID numbers, addresses, or birthdays alongside photos on social media. Even innocent sharing can give fraudsters clues. Teach older children not to divulge personal details to strangers or on public forums.

Monitor for Identity Theft

Consider checking or freezing your child’s credit files. In the UK, parents can request a report for their child (or freeze it) with major credit agencies once the child is old enough to have a credit file. If you suspect your child’s identity has been misused, report it to Action Fraud and the relevant financial institutions immediately. The long-term impact of child ID theft can linger (as in a noted case where a teen only discovered years later that her infant data was used to open accounts).

Follow Official Guidance

Stay informed via reputable sources. The NCSC and ICO both stress the importance of baseline security for families, such as using strong unique passwords and up-to-date software on home devices. The NCSC has published specific advice for early years settings and for individuals worried about breaches. Resources like GetSafeOnline.org and the ICO’s breach recovery guides can help you and your child respond to any suspicious activity.

Conclusion

This incident is a stark reminder that even trusted institutions can be breached, and that children’s data is uniquely valuable to cybercriminals. While law enforcement works to hold the culprits to account, nurseries and parents must both shore up defences and remain vigilant. Following official guidance, from the ICO and NCSC is key. By combining strong technical controls, clear policies and open communication with parents, early years providers can better protect the children in their care. Likewise, parents should use the tools and advice available to safeguard their family’s digital identity.

Sources

National Cyber Security Centre
ICO: Insider Threats in Schools
BBC News
National Crime Agency