= Kido International cyberattack =

The Kido International cyberattack was a ransomware incident disclosed in September 2025 that targeted Kido International, a multinational early-years education provider operating nurseries across Greater London and internationally. A criminal group claimed to have accessed and leaked personal data relating to about 8,000 children and staff, including photographs, dates of birth, home addresses and parent contact details.

The incident received wide coverage in the United Kingdom and internationally, with reporting highlighting the unusual sensitivity of the compromised information and the safeguarding risks associated with data breaches involving young children. The attack prompted guidance from the UK's National Cyber Security Centre (NCSC), and two teenagers were later arrested in connection with the incident.

== Background ==
Kido International operates nurseries across Greater London and in several international locations. Early reporting indicated that the breach originated in a third-party digital platform used to store and share children's photographs and developmental information with parents.

Cybersecurity research had previously identified early-years education providers as particularly vulnerable to cyberattacks due to their reliance on cloud-based communication tools, fragmented digital infrastructure and limited internal security capacity.

== Attack ==
The attackers claimed to have stolen data relating to approximately 8,000 children enrolled in Kido's nurseries. Media outlets reported that the compromised information included children's names, photographs, dates of birth, home addresses and parental contact details. Staff data was also reportedly targeted for potential publication.

Sample profiles of ten children were posted on a dark web leak site. Subsequently, these profiles were removed and the hackers said that they would not release any data relating to Kido on the dark web. The group claiming responsibility also communicated directly with Sky News, threatening further data releases.

Cybersecurity outlets reported that the leak site used tactics characteristic of “double-extortion” ransomware operations, including staged data releases and countdown mechanisms. Such techniques have been widely documented in international threat-intelligence reporting.

== Perpetrators ==
Multiple news sources identified the ransomware group Radiant as the likely perpetrators, noting previous incidents targeting education, healthcare and social-care providers. Reporting from cybersecurity outlets indicated that Radiant typically employed a double-extortion model: exfiltrating data, encrypting systems and threatening publication to coerce payment.

== Response ==
Kido International stated that it had notified affected families and engaged external cybersecurity specialists. The breach was reported to the UK's Information Commissioner's Office (ICO).

The National Cyber Security Centre (NCSC) issued guidance to early-years providers, highlighting systemic vulnerabilities within the sector.

Academic and regulatory bodies have emphasised that breaches involving children carry heightened safeguarding risks and long-term privacy implications.

== Law enforcement investigation ==
The Metropolitan Police Service opened an investigation through its Cyber Crime Unit. Two 17-year-olds were arrested on 7 October 2025 on suspicion of offences under the Computer Misuse Act 1990 and for alleged blackmail.

== See also ==
- List of data breaches
- List of cyberattacks
- Cybercrime
- Ransomware
- Information governance
