Ransomware gang targets Kido nursery chain, exposing data of 8,000 children

The Kido International nursery chain was hit by a ransomware attack claimed by the Radiant Group. The attackers claim to have stolen sensitive personal information belonging to approximately 8,000 children and their families. 

Kido International operates a network of early childhood education facilities, with 18 sites across the United Kingdom, including 17 locations in London and one in Windsor. The company specializes in advanced early childhood development programs and positions itself as bringing international best practices to each of its locations.

The attack was reported to the Metropolitan Police on Thursday, September 25, 2025. The ransomware group has published profiles of 10 children on their dark web site as proof of their breach, complete with photographs, names, and home addresses. Expoed data includes

• Children's personal identifiers: Full names, photographs, and home addresses of approximately 8,000 children
• Parental and caregiver information: Contact details, names, and in some cases workplace information of parents and carers
• Safeguarding documentation: Confidential notes and records related to child protection and welfare
• Educational records: Student profiles and related administrative information

Reports indicate that the criminals have contacted some parents and carers directly by telephone as part of their intimidation tactics.

The number of affected individuals stands at approximately 8,000 children, along with their associated family members and carers, though the total number of people impacted is higher. 

The Metropolitan Police confirmed they received a referral regarding the ransomware attack on a London-based organization on Thursday, September 25, 2025. The Information Commissioner's Office (ICO) has also been notified of the incident and is currently assessing the information provided by Kido International.

Update - The Radiant ransomware group is now threatening to release additional sensitive data, including profiles of 30 more children and 100 employees.

As of 2nd of October 2025, The Radiant ransomware claims to have delete the data and ceased activities due to public backlash. The school denies paying the estimated £100,000 ransom. Historical precedent from similar ransomware incidents shows that threat actors often retain stolen data on their servers even after claiming deletion or receiving payment.